Using OpenIOC Files for Threat Investigation

Procedure

1. Go to DETECTION & RESPONSE → Threat Investigation.
2. Click Advanced.
3. Select OpenIOC file.

   Note Using OpenIOC files in Historical Investigations has the following limitations: Only one OpenIOC file can be loaded at a time. The only supported condition is IS. Entries using other conditions are ignored and marked with a strikethrough. The only supported indicators are the indicators that are applicable to the collected metadata. Entries using unsupported indicators are ignored and marked with a strikethrough. For details, see Supported IOC Indicators.

4. Specify the data period for the investigation.
5. To upload and investigate using a new OpenIOC file:
   1. Click Upload OpenIOC File.
   2. Select a valid OpenIOC file.
   3. Click Open.
6. To investigate using an existing OpenIOC file:
   1. Click Use Existing OpenIOC File.
   2. Select a file.
   3. Click Apply.
7. Click Assess Impact.
   The Matched Endpoints section appears. Allow some time for the investigation to run.
8. Check the results in the Matched Endpoints section.
   The following details are available:

   Column Name	Description
   Endpoint	Name of the endpoint containing the matching object
   IPv4 Address	IP address of the endpoint containing the matching object The IP address is assigned by the network
   Operating System	Operating system used by the endpoint
   User	User name of the user logged in when the Security Agent first logged the matched object Click the user name to view more details about the user.
   First Logged	Date and time when the Security Agent first logged the matched object
   Details	Click the icon to open the Match Details screen. The Match Details screen displays the following details: Criteria: Criteria used in the assessment First Logged: Date and time when the Security Agent first logged the matched object CLI/Registry Occurrences: Number of matches found in command line or registry entries Click the value to show more details. Affected Endpoints: If the rating is malicious, the number of endpoints where a similar match was found The count only includes endpoints affected within the last 90 days.

9. To review the sequence of events leading to the execution of the matched object, select the endpoints that require further analysis and click Generate Root Cause Analysis.
   The Generate Root Cause Analysis screen appears.
10. Specify a name for the root cause analysis and click Generate.
11. Click the Root Cause Analysis tab to check the results. Allow some time for the task to complete.