Root Cause Analysis Results | Trend Micro Service Central

Views:

To monitor the progress of a Root Cause Analysis task, go to Response → Historical Investigation, and click the Root Cause Analysis Results tab.

If an assessment returns a match, administrators may generate a Root Cause Analysis to:

List all related objects to the specified criteria
Identify if any of the related objects are noteworthy
Review the sequence of events leading to the execution of the matched object.

Generating a Root Cause Analysis may take some time to complete.

For more information, see Starting a Root Cause Analysis from an Assessment.

The following table lists the investigations details available for review.

Column Name

Description

Status

Progress of the Root Cause Analysis task

Name

Name of the Root Cause Analysis task

Click to open the Analysis Chains and Object Details screens.

For more information, see Analysis Chains.

Note

The task name is not displayed as a link if Endpoint Sensor is unable to generate a Root Cause Analysis, and may be due to the following reasons:

The target endpoint has insufficient data.

Verify that the data has not been purged. If the agent database reaches the maximum database size limit, Endpoint Sensor purges the oldest logs to make space for new event entries. To avoid this issue, specify a larger agent database size.
The investigation was unable to find an object that matches all of the conditions specified in the OpenIOC file.

Assessments ignore all conditions in the OpenIOC file to return the initial results. However, a Root Cause Analysis task adds the conditions back as an additional criteria for the investigation. As a result, the Root Cause Analysis task may be unable to generate results that match both the OpenIOC criteria and its conditions.

Criteria

Criteria specified for the Root Cause Analysis task

Matched Objects

Number of matching objects found in the endpoint

Click the value to view more details.

Asterisk (*)

Indicates an endpoint tagged as Important

Endpoint

Name of the endpoint containing the matching object

Click the Endpoint name to view more details about the endpoint.

IP Address

IP address of the endpoint containing the matching object

The IP address is assigned by the network

Started

Date and time when the Root Cause Analysis task was started

Elapsed

Length of time elapsed since starting the task

Creator

User who created the task

To delete a Root Cause Analysis task, select an entry in the table and click Delete.