Using OpenIOC files for Preliminary Investigation

Go to Response > Preliminary Investigation.

Click the OpenIOC file tab.

Note:

Using OpenIOC files in preliminary investigations has the following limitations:

Only one OpenIOC file can be loaded at a time.
Any operator specified in the OpenIOC file is changed to OR.
The only supported condition is IS. Entries using other conditions are ignored and marked with a strikethrough.
The only supported indicators are the indicators that are applicable to the collected metadata. Entries using unsupported indicators are ignored and marked with a strikethrough.

For details, see Supported IOC Indicators for Preliminary Investigations.

To upload and investigate using a new OpenIOC file:

Click Upload OpenIOC File.
Select a valid OpenIOC file.
Click Open.

To investigate using an existing OpenIOC file:

Click Use Existing OpenIOC File.
Select a file.
Click Apply.

Click one of the following:

Assess data within the last 90 days: Runs the assessment on data recorded within the last 90 days only. Results are usually available after a few seconds.
Assess all data: Runs the assessment on all data recorded. Assessing all data may take some time to complete.

On the results pane, review the results that appear.

Note:

Allow some time for the preliminary investigation to run. The investigation appends more rows to the results table as soon as matching objects are found in the metadata. It may take a few minutes for the investigation to complete.
Hover over the Endpoints: label to display a popup that displays the progress of the assessment.
The data available during Preliminary Investigations is a subset of Security Agent data and only includes information about high risk file types. If an assessment returns no results, you may want to perform a Detailed Investigation.

The following details are available:

Column Name	Description
Endpoint	Name of the endpoint containing the matching object Click to view more details about the endpoint.
Status	Current connection status of the endpoint
IP Address	IP address of the endpoint containing the matching object The IP address is assigned by the network
Operating System	Operating system used by the endpoint
User	User name of the user logged in when the Endpoint Sensor agent first logged the matched object Click the user name to view more details about the user.
Managing Server	Server that manages the affected endpoint
First Logged	Date and time when the Endpoint Sensor agent first logged the matched object
Details	Click the icon to open the Match Details screen. The Match Details screen displays the following details: Criteria: Criteria used in the assessment First Logged: Date and time when the Endpoint Sensor agent first logged the matched object CLI/Registry Occurrences: Number of matches found in command line or registry entries Click the value to show more details. Rating: Rating assigned by Trend Micro intelligence You can further examine objects with "Malicious" ratings in Threat Connect or VirusTotal. Affected Endpoints: If the rating is malicious, the number of endpoints where a similar match was found The count only includes endpoints affected within the last 90 days.
Asterisk ( ✱ )	Indicates an endpoint tagged as Important

Identify and select one or more endpoints that require further action.

Note:

The preliminary investigation results may include macOS endpoints. Since there are no actions available for macOS endpoints, the check boxes for these endpoints are disabled.

Action	Description
Generate Root Cause Analysis	Generates a root cause analysis to review the sequence of events leading to the execution of the matched object. For details, see Starting a Root Cause Analysis from an Assessment.
Start Detailed Investigation	Runs a new investigation with the same criteria on the current system state. The Detailed Investigation screen appears and initiates a new one-time investigation using the existing criteria. For assessments using an OpenIOC file, Detailed Investigation uses both the current OpenIOC file and selected endpoints as criteria For details, see Starting a One-time Investigation.
Isolate Endpoints	Disconnects the selected endpoints from the network. Note: After resolving the security threats on an isolated endpoint, the following locations on the Directories > Users/Endpoints screen provides options to restore the network connection of an isolated endpoint: Endpoints > All: Click the name of an endpoint in the table, and click Task > Restore on the screen that appears. Endpoints > Filters > Network Connection > Isolated: Select the endpoint row in the table, and click Task > Restore Network Connection.

Action

Description

Generate Root Cause Analysis

Generates a root cause analysis to review the sequence of events leading to the execution of the matched object.

For details, see Starting a Root Cause Analysis from an Assessment.

Start Detailed Investigation

Runs a new investigation with the same criteria on the current system state.

The Detailed Investigation screen appears and initiates a new one-time investigation using the existing criteria.

For assessments using an OpenIOC file, Detailed Investigation uses both the current OpenIOC file and selected endpoints as criteria

For details, see Starting a One-time Investigation.

Isolate Endpoints

Disconnects the selected endpoints from the network.

Note:

After resolving the security threats on an isolated endpoint, the following locations on the Directories > Users/Endpoints screen provides options to restore the network connection of an isolated endpoint:

Endpoints > All: Click the name of an endpoint in the table, and click Task > Restore on the screen that appears.
Endpoints > Filters > Network Connection > Isolated: Select the endpoint row in the table, and click Task > Restore Network Connection.