Live Investigations perform the investigation on the current system state. Live Investigations can be configured to run at specific periods, and also support a wider set of criteria through the use of OpenIOC and YARA rules.
Only available for Security Agents installed on Windows platforms.
Live Investigations support the following criteria:
-
OpenIOC rules: Use OpenIOC rules to scan for all files currently on the disk.
Note:After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.
For more information, see Supported IOC Indicators for Live Investigations.
-
YARA rules: Use YARA rules to scan all processes currently running in memory.
Note:Root Cause Analysis results are only available for YARA rules.
Because Live Investigations run on the current system state, some files and registry entries may be locked or in use during this period. Root Cause Analysis results are not available for investigations using OpenIOC rules or registry search. To generate a Root Cause Analysis using OpenIOC rules or registry data, use Historical Investigation.
For more information, see Historical Investigations.
-
Search registry: Specify registry keys, names and data to match on the target endpoints.
Note:Investigations are performed only on registry values under the following root keys:
-
HKEY_CURRENT_USER
-
HKEY_CLASSES_ROOT
-
HKEY_LOCAL_MACHINE
-
HKEY_USERS
-
Administrators can specify the type of Live Investigation to run:
-
A one-time investigation runs only once. The investigation runs immediately after creation.
For more information, see Starting a One-time Investigation.
-
A scheduled investigation can be configured to run automatically at specific intervals.
For more information, see Starting a Scheduled Investigation.
Live Investigations take some time to complete.