Starting a Root Cause Analysis from an Assessment

Views:

The Root Cause Analysis is an investigation tool that displays the sequence of events leading to the execution of the matched object.

If an assessment returns a match, administrators may generate a Root Cause Analysis to:

List all related objects to the specified criteria
Identify if any of the related objects are noteworthy
Review the sequence of events leading to the execution of the matched object.

Generating a Root Cause Analysis may take some time to complete.

Perform a Historical Investigation.
On the results pane, review the results that appear.

For more information, see Using User-defined Criteria for Historical Investigations.
Identify and select one or more endpoints, and click Generate Root Cause Analysis.
Specify a name for the new Root Cause Analysis task.
Review the criteria displayed.
- For assessments using user-defined criteria, generating a Root Cause Analysis combines multiple criteria using either the AND or OR operator.
- For assessments using an OpenIOC file, generating a Root Cause Analysis uses the indicators in the current OpenIOC file as criteria.
Review the target endpoints.
Note:
To remove endpoints from the list, click the delete icon.
Specify a period.
By default, the analysis is performed on all logged dates.
Click Generate.
Go to the Root Cause Analysis Results tab to monitor the progress of the analysis.
Generating a Root Cause Analysis may take some time to complete.

For more information, see Root Cause Analysis Results.
After the task to complete, click the Task name.
Note:
The task name is not displayed as a link if Endpoint Sensor is unable to generate a Root Cause Analysis, and may be due to the following reasons:
- The target endpoint has insufficient data.
  
  Verify that the data has not been purged. If the agent database reaches the maximum database size limit, Endpoint Sensor purges the oldest logs to make space for new event entries. To avoid this issue, specify a larger agent database size.
- The investigation was unable to find an object that matches all of the conditions specified in the OpenIOC file.
  
  Assessments ignore all conditions in the OpenIOC file to return the initial results. However, a Root Cause Analysis task adds the conditions back as an additional criteria for the investigation. As a result, the Root Cause Analysis task may be unable to generate results that match both the OpenIOC criteria and its conditions.
Review the results.