Threat Investigation Overview

Use Threat Investigation to locate suspicious objects in the network.

Threat Investigations can correlate information from Endpoint Sensor, Cloud App Security, and Active Directory to display attack information about an endpoint, user account, and possible email attack vectors throughout your network.


You must properly configure Cloud App Security and Apex Central before being able to correlate email message information.

For more information, see Configuring Cloud Service Settings.

If the network is the target of an ongoing attack or an APT, a threat investigation can:

  • Assess the extent of damage caused by the targeted attack

  • Provide information on the arrival and progression of the attack

  • Aid in planning an effective security incident response

Live Investigations perform the investigation on the current system state. Live Investigations can be configured to run at specific periods, and also support a wider set of criteria through the use of OpenIOC and YARA rules.

For more information, see Live Investigations.