Historical Investigations | Trend Micro Service Central

Views:

Historical Investigations can quickly identify endpoints which are possible candidates for further analysis. A Historical Investigation uses server metadata to quickly return results.

To access this screen, go to Response → Historical Investigation.

The Historical Investigation screen has two tabs:

Tab	Description
Assessment	Use an assessment to perform the following: Evaluate the prevalence of a threat, and how long the threat has been in the network. The assessment goes through all historical data. Determine the existence of a threat using simple criteria. Assessments support only a limited set of criteria. An assessment supports the following criteria types: User-defined: Specify or load up to 10 user-defined criteria, or load a C&C callback event. For details, see Supported Formats for User-defined Criteria. OpenIOC file: Use OpenIOC rules to define investigation criteria. Historical Investigations disregard all conditions and match any of the indicators specified in the OpenIOC file. For more information, see Supported IOC Indicators for Historical Investigations. The assessment goes through the server metadata and updates the result pane as soon it finds a match. It may take a few minutes to completely go through the server metadata. For more information, see Using User-defined Criteria for Historical Investigations.
Root Cause Analysis Results	If an assessment returns a match, administrators may generate a Root Cause Analysis to: List all related objects to the specified criteria Identify if any of the related objects are noteworthy Review the sequence of events leading to the execution of the matched object. Generating a Root Cause Analysis may take some time to complete. Use the Root Cause Analysis tab to monitor the progress of the task. For more information, see Analysis Chains.

Tab

Description

Assessment

Use an assessment to perform the following:

Evaluate the prevalence of a threat, and how long the threat has been in the network. The assessment goes through all historical data.
Determine the existence of a threat using simple criteria. Assessments support only a limited set of criteria.

An assessment supports the following criteria types:

User-defined: Specify or load up to 10 user-defined criteria, or load a C&C callback event.

For details, see Supported Formats for User-defined Criteria.
OpenIOC file: Use OpenIOC rules to define investigation criteria. Historical Investigations disregard all conditions and match any of the indicators specified in the OpenIOC file.

For more information, see Supported IOC Indicators for Historical Investigations.

The assessment goes through the server metadata and updates the result pane as soon it finds a match. It may take a few minutes to completely go through the server metadata.

For more information, see Using User-defined Criteria for Historical Investigations.

Root Cause Analysis Results

If an assessment returns a match, administrators may generate a Root Cause Analysis to:

List all related objects to the specified criteria
Identify if any of the related objects are noteworthy
Review the sequence of events leading to the execution of the matched object.

Generating a Root Cause Analysis may take some time to complete. Use the Root Cause Analysis tab to monitor the progress of the task.

For more information, see Analysis Chains.