Use Threat Investigation to locate suspicious objects in the network.
Threat Investigations can correlate information from Endpoint Sensor and Active Directory to display attack information about endpoints and user accounts throughout your network.
If the network is the target of an ongoing attack or an APT, a threat investigation can:
-
Assess the extent of damage caused by the targeted attack
-
Provide information on the arrival and progression of the attack
-
Aid in planning an effective security incident response
The following types of threat investigation are available:
-
Historical Investigations can quickly identify endpoints which are possible candidates for further analysis. A Historical Investigation uses server metadata to quickly return results.
For more information, see Historical Investigations.
-
Live Investigations perform the investigation on the current system state. Live Investigations can be configured to run at specific periods, and also support a wider set of criteria through the use of OpenIOC and YARA rules.
For more information, see Live Investigations.