Starting a Root Cause Analysis from an Assessment

Views:

The Root Cause Analysis is an investigation tool that displays the sequence of events leading to the execution of the matched object.

If an assessment returns a match, administrators may generate a root cause analysis to:

List all related objects to the specified criteria
Identify if any of the related objects are noteworthy
Review the sequence of events leading to the execution of the matched object.

Generating a root cause analysis may take some time to complete.

Start a preliminary investigation.
On the results pane, review the results that appear.

For details, see Using Custom Criteria for Preliminary Investigation.
Identify and select one or more endpoints , and click Generate Root Cause Analysis.
Specify a name for the new Root Cause Analysis task.
Review the criteria displayed.
- For assessments using custom criteria, generating a Root Cause Analysis combines multiple criteria using either the AND or OR operator.
- For assessments using an OpenIOC file, generating a Root Cause Analysis uses the indicators in the current OpenIOC file as criteria.
Review the target endpoints.
Note:
To remove endpoints from the list, click the delete icon.
Specify a period.
By default, the analysis is performed on all logged dates.
Click Generate.
Go to the Root Cause Analysis Results tab to monitor the progress of the analysis.
For details, see Root Cause Analysis Results.

Generating a root cause analysis may take some time to complete.
After the task to complete, click the Task name.
Note:
The task name is not displayed as a link if Endpoint Sensor is unable to generate a root cause analysis, and may be due to the following reasons:
- The target endpoint has insufficient data.
  
  Verify that the data has not been purged. If the agent database reaches the maximum database size limit, Endpoint Sensor purges the oldest logs to make space for new event entries. To avoid this issue, specify a larger agent database size.
- The investigation was unable to find an object that matches all of the conditions specified in the OpenIOC file.
  
  Assessments ignore all conditions in the OpenIOC file to return the initial results. However, a root cause analysis task adds the conditions back as an additional criteria for the investigation. As a result, the root cause analysis task may be unable to generate results that match both the OpenIOC criteria and its conditions.
Review the results.