Starting a One-time Investigation

  1. Go to Response > Live Investigation.
  2. Click the One Time Investigation tab.
  3. Click New Investigation.
  4. Specify a Name for this investigation.
  5. Select a Method based on what objects need to be matched:

    • Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file

      Note:

      After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.

      For more information, see Supported IOC Indicators for Live Investigations.

    • Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file

    • Search registry: registry keys, names and data that match criteria defined by the user

  6. Click Select Endpoints and specify which endpoints to include in the investigation.
    Note:

    The Target Endpoints screen may not show all endpoints selected for the investigation.

    • A user can only view endpoints where he has been granted sufficient access rights.

    • Only available for Security Agents installed on Windows platforms.

  7. Click Start Investigation.
  8. To view the results and monitor the progress of one-time investigations:
    1. Go to Response > Live Investigation.
    2. Click the One Time Investigation tab.

      For details, see One-Time Investigation.

Parent topic: Live Investigations