Using Custom Criteria for Threat Investigation

Procedure

1. Go to DETECTION & RESPONSE → Threat Investigation.
2. Click Advanced.
3. Select User-defined.
4. Specify the data period for the investigation.
5. Select one of the following options:
   • Match ANY criteria: Find objects matching any of the criteria specified
   • Match ALL criteria: Find objects matching all of the criteria specified
6. Click New criteria, select a criteria type, and specify valid information.
   For details, see Supported Formats for Custom Criteria.

   To save your criteria for future investigations, click .
7. (Optional) To load existing custom criteria, click Saved Criteria.
   1. Select the criteria to load.
   2. Click Apply Criteria.
8. Click Assess Impact.
   The Matched Endpoints section appears. Allow some time for the investigation to run.
9. Check the results in the Matched Endpoints section.
   The following details are available:

   Column Name	Description
   Endpoint	Name of the endpoint containing the matching object
   IPv4 Address	IP address of the endpoint containing the matching object The IP address is assigned by the network
   Operating System	Operating system used by the endpoint
   User	User name of the user logged in when the Security Agent first logged the matched object Click the user name to view more details about the user.
   First Logged	Date and time when the Security Agent first logged the matched object
   Details	Click the icon to open the Match Details screen. The Match Details screen displays the following details: Criteria: Criteria used in the assessment First Logged: Date and time when the Security Agent first logged the matched object CLI/Registry Occurrences: Number of matches found in command line or registry entries Click the value to show more details. Affected Endpoints: If the rating is malicious, the number of endpoints where a similar match was found The count only includes endpoints affected within the last 90 days.

10. To review the sequence of events leading to the execution of the matched object, select the endpoints that require further analysis and click Generate Root Cause Analysis.
    The Generate Root Cause Analysis screen appears.
11. Specify a name for the root cause analysis and click Generate.
12. Click the Root Cause Analysis tab to check the results. Allow some time for the task to complete.