Analysis Chains | Trend Micro Service Central

Views:

The Analysis Chains tab displays the root cause analysis and also highlights additional information which might be beneficial to the investigation.

Information	Description
Target Endpoint	Displays details about the endpoint where the root cause chain occurred.
First Observed Object	Object that most likely created the matched object. This is often the entry point of a targeted attack. Hover over an object and click to locate the object in the root cause analysis.
Matched Objects	Displays the object or a list of objects matching the investigation criteria. Hover over an object and click to locate the object in the root cause analysis.
Noteworthy Objects	Highlights objects in the chain that are possibly malicious, based on existing Trend Micro intelligence. The value counts the number of unique noteworthy objects in the chain. Hover over the value to view the list of noteworthy objects. Hover over an object and click to locate the object in the root cause analysis.
Root cause analysis area	Displays the root cause analysis map.

The root cause analysis area displays a visual analysis of the objects involved in an event.

Note:

If the number of nodes in the root cause chain exceeds the presentation limit, only the main root cause chains are displayed.

To move around, click and drag the area to your preferred direction. This area also provides the following navigation options.


	A root cause analysis can contain one or more matched root cause chains. Click the drop down to view other root cause chains for the selected endpoint.
	Click to enter full screen mode. Click again to exit full screen mode.
	Click to zoom in or zoom out.
	Hover to view an explanation of the symbols appearing in the root cause chain.

Hover over an object in the root cause analysis area to view additional details. Click an object to display a side panel with the following tabs:

The Profile tab shows the details applicable for the selected object type.

Some objects may show only a limited set of details, or may not have any details available at the time of execution.

The tab also displays additional options for Matched Objects and Noteworthy Objects:
- Add to Suspicious Objects List: Adds the object to the User-Defined Suspicious Object list. The following object types can be added to the list:
  - IP addresses
  - URLs
  - File SHA-1
  - Domains
The Related Objects tab displays all the dependencies of the matched object.

These are the objects required to run the matched object. This tab displays the following details:

Property	Description
Action	Action done by the object.
Logged	Date and time of the recorded action.
Rating	Rating assigned to the object based on Trend Micro intelligence.
Destination path	Target destination of the object.

The following options are available to manage the Related Objects tab:

The tab provides a drop down that can filter objects based on the specified action. Click the drop down to view all available actions.
Click Show detail to view more details about the object.