Views:

Metadata refers to data collected from the endpoint and uploaded to the server. Endpoint Sensor utilizes the data during a Historical Investigation to identify affected endpoints.

For details, see Historical Investigations.

The type of metadata collected depends on the operating system installed on the endpoint.

Table 1. Metadata by Operating System

Operating System

Metadata

Windows

  • Host (name / IP address)

  • Registry key

  • User account

  • Registry data

  • File name

  • Registry name

  • File path

  • Command line

  • Hash values (SHA-1, SHA-256 and MD5)

  • URL

macOS

  • Host (name / IP address)

  • File path

  • User account

  • Hash values (SHA-1, SHA-256 and MD5)

  • File name

  • Command line

  • URL

  
Note:

  • URL collection only applies to process callback events and only supports HTTP protocol.

  • Use the Policy Management screen to configure metadata settings.

  • The data available during Historical Investigations is a subset of Security Agent data and only includes information about high risk file types. If an assessment returns no results, you may want to perform a Live Investigation.

Parent topic: Threat Investigation Overview