Authentication and accounts
Review successful and failed logins, source IPs, privileged users, sudo indicators, SSH keys, and account context.
Open Investigator · Linux host investigation
Turn Linux host evidence into an AI-assisted incident report.
For Linux servers, Open Investigator can correlate auth logs, users, processes, network connections, services, cron, systemd, packages, containers, recent files, and shell history into one local case.
Apache-2.0Read-only toolsAI evidence reasoning
Search intent
For searches like Linux host investigation tool, Linux incident response CLI, suspicious Linux server triage, and AI Linux DFIR.
How it worksInstead of asking an operator to manually copy disconnected command output into a chat, Open Investigator records structured observations, lets AI choose the next bounded check, and generates reports tied back to evidence IDs.
Investigation boundaryOpen Investigator collects and correlates evidence. It does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall or registry state.
Practical workflow
Use it as a first-pass host investigation loop.
Runtime and persistence
Inspect command lines, parent processes, listeners, outbound connections, cron, systemd units, timers, services, and startup behavior.
Packages, containers, and files
Check package inventory, suspicious tooling, Docker/CRI/Kubernetes local state, recent files, and shell history.
Common searches
Queries this page answers.
Linux host investigation toolOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Linux incident response CLIOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
suspicious Linux server triageOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI Linux DFIROpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Run a Linux first pass with oi scan -s 7d and review the generated report.md.
The source, usage examples, contribution notes, and issue tracker live in the public Open Investigator repository.