Views:
Type
Item
FQDN / IP address / Hostname
Specify the remote endpoint FQDN, IP address, or hostname to identify network connections that the investigated endpoint made
Note
Note
The IPv6 format is not supported.
Examples:
  • cncserver.com
  • malicioussite.com
  • 192.168.0.1
User name
Specify the name of the Active Directory account or local user
Examples:
  • jane_smith
Note
Note
Use the local user account name only (<user name>). Do not include the domain name.
File name
Specify the full file name including extension
Example:
  • filename.exe
File hash value
Specify the hash value of a file.
Example:
  • SHA-1: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa
  • SHA-256: D9FCB47915363186AEC3EF3EDAE0D92AC452BFA5A41C81D5E714E45583600561
File directory
Specify the full path excluding file name
Example:
  • c:\windows\system32\wbem\
Note
Note
Do not include the file name.
Registry key
Specify the full or partial registry key, value name, or value data
Note
Note
  • Trend Micro only records the activity of important registry locations to reduce the resource impact on the endpoint.
  • Do not specify SID values as registry criteria. Investigations do not support SID values as custom registry criteria.
  • Using registry data as investigation criteria has the following limitations:
    • Each entry must have at least 2 characters.
    • Entries cannot contain spaces.
Examples:
  • Registry key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Registry value name
    RunTestExe
  • Registry value data
    "c:\test\run_test.exe" –abc
Registry value name
Registry value data
CLI command
Specify the command line parameters.
Note
Note
Using command line as investigation criteria has the following limitations:
  • Each entry must have at least 2 characters.
  • Entries cannot contain spaces.
Examples:
  • "C:\7z.exe" a "c:\log\test.7z" "c:\log\test.log"
  • taskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly