The Endpoint Sensor Investigation widget connects with a remote Trend Micro Endpoint Sensor server to start an investigation and display the results from this investigation directly from the Apex Central dashboard.
Click Start a New Investigation to initiate a new investigation, and then select an investigation method:
  • Historical Records to Investigate historical events based on user-defined criteria
  • System Snapshot to investigate the current state of the selected endpoints
Once the New Investigation page appears, fill in the required criteria. The following investigation types are available:
Investigation Type
Description
Historical Records - Retro Scan
Investigate historical events based on user-defined criteria
Historical Records - IOC rule
Investigate historical events using an IOC rule
System Snapshot - Registry search
Investigate the Windows registry
System Snapshot - YARA rule
Investigate for memory-resident threats using a YARA rule
System Snapshot - IOC rule
Investigate for events using an IOC rule
System Snapshot - Disks IOC rule
Investigate for files using an IOC rule
System Snapshot - System audit
Investigate all currently running processes, services, and modules
Click Investigate to start the investigation. To stop an ongoing investigation, click Cancel.
The widget refreshes periodically to display the progress of the investigation. The widget displays a doughnut chart which gives a visual representation of the total endpoints classified as:
  • Matched: indicates the number of endpoints where a matched object was found.
  • Safe: indicates the number of endpoints where a matched object was not found.
  • Pending: indicates the number of endpoints not yet investigated.
  • Canceled: indicates the number of endpoints that meet any of the following criteria:
    • The investigation performed on the endpoint encountered an error
    • The endpoint is offline, or all commands sent to the endpoint result in a timeout
    • The investigation for the endpoint was manually interrupted by the user
A breakdown of the totals is given on the right of the doughnut chart. Click the count for each classification to view the Investigation Results screen. This screen gives more details regarding the latest investigation results started from Apex Central.
Note
Note
  • Once a server is added, refresh the widget to start retrieving data from the new server.
  • If multiple servers are added, the widget displays the aggregate result of all the servers' data.