Views:
The Analysis Chains tab displays the Root Cause Analysis and also highlights additional information which might be beneficial to the investigation.
Threat Investigations can correlate information from Endpoint Sensor, Cloud App Security, and Active Directory to display attack information about an endpoint, user account, and possible email attack vectors throughout your network.
Information
Description
Target Endpoint
Displays details about the endpoint that was investigated
Click the endpoint name and user name to view details.
Click Isolate Endpoint to disconnect the endpoint from the network. During isolation, the agent can only communicate with the server.
Note
Note
After resolving the security threats on an isolated endpoint, the following locations on the DirectoriesUsers/Endpoints screen provides options to restore the network connection of an isolated endpoint:
  • EndpointsAll: Click the name of an endpoint in the table, and click TaskRestore on the screen that appears.
  • EndpointsFiltersNetwork ConnectionIsolated: Select the endpoint row in the table, and click TaskRestore Network Connection.
First Observed Object
The first object in the analysis chain suspected to have been responsible for the creation of the investigated object.
This is often the entry point of a targeted attack.
Hover over an object and click search=GUID-4AC54D99-CE4B-43E1-93F2-B717AFF1EAC5=1=en-us=Low.png to locate the object in the Analysis Chain.
Matched Objects
Displays the object or a list of objects matching the investigation criteria
Hover over an object and click search=GUID-4AC54D99-CE4B-43E1-93F2-B717AFF1EAC5=1=en-us=Low.png to locate the object in the Root Cause Analysis.
Noteworthy Objects
Highlights objects in the chain that are possibly malicious, based on existing Trend Micro intelligence
The value counts the number of unique noteworthy objects in the chain.
Click to view the list of noteworthy objects.
Hover over an object and click search=GUID-4AC54D99-CE4B-43E1-93F2-B717AFF1EAC5=1=en-us=Low.png to locate the object in the Analysis Chain.
Root Cause Analysis area
Displays a visual analysis of the objects involved in an event
Note
Note
If the number of nodes in the analysis chain exceeds the presentation limit, only the main analysis chains are displayed. To avoid this issue, refine the investigation criteria.
Click any available node to view more information about the selected object.
For more information on how to interpret Analysis Chains, see:
Note
Note
To export the data, click export=GUID-8F04F6E4-5B5D-4C5B-9EAD-5E82284BB174=1=en-us=Low.png and perform one of the following:
  • Select Analysis Chains to export all root cause chains as .png files.
  • Select Object Details to export all data as CSV files.