Investigation Results

Use the Investigation Results screen to get a quick overview of the investigation results. This screen is accessible from the following locations:

  • On the One Time Investigation tab, click the investigation Name.

  • On the Scheduled Investigation tab, click the investigation Name, and then click a value in the Matched Endpoints column.

This screen displays the following information:

  • A doughnut chart that shows the number of total endpoints already classified as Matched, No Match, Queued or Cancelled

    A summary of the totals is given on the left of the chart. This summary updates in real time as the investigation progresses.

    Icon

    Label

    Description

    Matched

    Number of investigated endpoints containing a matching object

    No match

    Number of investigated endpoints that did not have a matching object

    Queued

    Number of endpoints still to be investigated.

    An investigation is complete once there are no more queued endpoints to investigate.

    Cancelled

    Number of endpoints not investigated.

    This may be due to user cancellation, system error, or endpoint timeout.

  • Parameters used when the investigation was created.

    Click Criteria to review the search conditions used by the investigation.

  • A table of results which provides more details about each endpoint included in the investigation.

    This table groups the endpoints into tabs based on the investigation status. This table displays the following details:

    Column Name

    Description

    Asterisk (*)

    Indicates an endpoint tagged as "Important"

    Endpoint

    Name of the endpoint containing the matching object

    Click the Endpoint name to view more details about the endpoint.

    IP Address

    IP address of the endpoint containing the matching object

    The IP address is assigned by the network.

    Operating System

    Operating system used by the endpoint

    User

    User name of the user logged in when the Endpoint Sensor agent first logged the matched object

    Click the user name to view more details about the user.

    Match Details

    Click to view details of the match.

    Root Cause Analysis

    Click to view the Root Cause Analysis screen.

    Note:

    Root Cause Analysis results are only available for YARA rules.

    Because Live Investigations run on the current system state, some files and registry entries may be locked or in use during this period. Root Cause Analysis results are not available for investigations using OpenIOC rules or registry search.

    Elapsed

    Time elapsed since the investigation started.
Parent topic: Threat Investigation