Views:
Note:

To perform an investigation on the current system state, use Live Investigation.

For more information, see Starting a One-time Investigation.

  1. Go to Response > Historical Investigation.
  2. Click User-defined.
  3. Select one of the following options:

    • Match ALL criteria: Find objects matching all of the criteria specified

    • Match ANY criteria: Find objects matching any of the criteria specified

  4. Click New criteria, select a criteria type, and specify valid information.

    For details, see Supported Formats for User-defined Criteria.

    To manage the criteria:

    • Click Reset to clear all specified criteria.

    • To save the criteria for future investigations, click and specify a criteria name.

    Note:

    Historical Investigations support a maximum of 10 saved user-defined criteria.

  5. (Optional) To load existing user-defined criteria, click Select criteria.
    1. Click Yes.
      Note:

      Applying existing criteria overwrites any criteria currently specified.

    2. Go to the Saved Criteria tab.
    3. Select criteria.

      To manage the criteria:

      • Sort the criteria using the Last Used column.

      • Delete saved criteria using the Delete icon.

    4. Click Add Saved Criteria.
  6. (Optional) To load C&C callback events, click Select Criteria.
    1. Click Yes.
      Note:

      Applying existing criteria overwrites any criteria currently specified.

    2. Go to the C&C Callback Events tab.
    3. Select a criteria.

      Click Period to filter the C&C callback events by the specified time.

    4. Click Load C&C Callback Events.
      Note:

      The Log Query screen provides additional details about C&C callback events in case you need to review them before selection. To go to the Log Query screen, navigate to Detections > Logs > Log Query, and then filter by Network Events > C&C Callback.

  7. Click Assess.
  8. On the results pane, review the results that appear.
    Note:

    • Allow some time for the Historical Investigation to run. The investigation appends more rows to the results table as soon as matching objects are found in the metadata. It may take a few minutes for the investigation to complete.

    • The data available during Historical Investigations is a subset of Security Agent data and only includes information about high risk file types. If an assessment returns no results, you may want to perform a Live Investigation.

    The following details are available:

    Column Name

    Description

    Endpoint

    Name of the endpoint containing the matching object

    Click to view more details about the endpoint.

    Status

    Current connection status of the endpoint

    IP Address

    IP address of the endpoint containing the matching object

    The IP address is assigned by the network

    Operating System

    Operating system used by the endpoint

    User

    User name of the user logged in when the Security Agent first logged the matched object

    Click the user name to view more details about the user.

    Managing Server

    Server that manages the affected endpoint

    First Seen

    Date and time when the Security Agent first logged the matched object

    Details

    Click the icon to open the Match Details screen.

    The Match Details screen displays the following details:

    • Criteria: Criteria used in the assessment

    • First Seen: Date and time when the Security Agent first logged the matched object

    • CLI/Registry Occurrences: Number of matches found in command line or registry entries

      Click the value to show more details.

    • Rating: Rating assigned by Trend Micro intelligence

      You can further examine objects with "Malicious" ratings in Threat Connect or VirusTotal.

    • Affected Endpoints: If the rating is malicious, the number of endpoints where a similar match was found

      The count only includes endpoints affected within the last 90 days.

    Asterisk (*)

    Indicates an endpoint tagged as Important
  9. Identify and select one or more endpoints that require further action.
    Note:

    The Historical Investigation results may include macOS endpoints. Since there are no actions available for macOS endpoints, the check boxes for these endpoints are disabled.

    Action

    Description

    Generate Root Cause Analysis

    Generates a Root Cause Analysis to review the sequence of events leading to the execution of the matched object.

    For details, see Starting a Root Cause Analysis from an Assessment.

    Start Live Investigation

    Runs a new investigation with the same criteria on the current system state.

    Important:

    Only available for Security Agents installed on Windows platforms.

    The Live Investigation screen appears and initiates a new one-time investigation using the existing criteria.

    For assessments using user-defined criteria, Live Investigation uses only the selected endpoints as criteria

    For details, see Starting a One-time Investigation.

    Isolate Endpoints

    Disconnects the selected endpoints from the network.

    Important:

    Only available for Security Agents installed on Windows platforms.

    After resolving the security threats on an isolated endpoint, the following locations on the Directories > Users/Endpoints screen provides options to restore the network connection of an isolated endpoint:

    • Endpoints > All: Click the name of an endpoint in the table, and click Task > Restore on the screen that appears.

    • Endpoints > Filters > Network Connection > Isolated: Select the endpoint row in the table, and click Task > Restore Network Connection.
Parent topic: Historical Investigations