Starting a One-time Investigation

Procedure

1. Go to Response → Live Investigation.
2. Click the One Time Investigation tab.
3. Click New Investigation.
4. Specify a Name for this investigation.
5. Select a Method based on what objects need to be matched:
   • Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file

     Note After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation. For more information, see Supported IOC Indicators for Live Investigations.

   • Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file
   • Search registry: registry keys, names and data that match criteria defined by the user
6. Click Select Endpoints and specify which endpoints to include in the investigation.

   Note The Target Endpoints screen may not show all endpoints selected for the investigation. A user can only view endpoints where he has been granted sufficient access rights. Only available for Security Agents installed on Windows platforms.

7. Click Start Investigation.
8. To view the results and monitor the progress of one-time investigations:
   1. Go to Response → Live Investigation.
   2. Click the One Time Investigation tab.
      For details, see One-Time Investigation.