Preliminary investigations assess historical events and root cause chains based on specified criteria. The results can be viewed as a root cause analysis map showing the execution flow of any suspicious activity. This facilitates the analysis of the enterprise-wide chain of events involved in a targeted attack.
Preliminary investigations use the following object types for its investigation:
-
DNS record
-
IP address
-
File name
-
File path
-
SHA-1 hash values
-
MD5 hash values
-
User account
Preliminary investigations query a normalized database containing an endpoint's historical events. Compared to a traditional log file, this method uses less disk space and consumes fewer resources.