Analyzing Impact and Responding to IOCs from User-Defined Suspicious Objects

After adding suspicious objects or properly formatted IOC (STIX or OpenIOC) files to Apex Central, you can perform an impact analysis by selecting specific file, file SHA-1, IP address, or domain objects to determine if the threat exists within your network and take mitigation steps to prevent the spread of the threat to other endpoints.

For more information, see the following topics:

Important:

  • Impact analysis requires a valid Apex One Endpoint Sensor license. Ensure that you have a valid Apex One Endpoint Sensor license and enable the Enable Sensor feature for the appropriate Apex One Security Agent or Apex One (Mac) policies.

    For more information, see the Apex Central Widget and Policy Management Guide.

  • Endpoint isolation requires that you install Apex One Security Agents on the target endpoints.

  1. Go to Threat Intel > Custom Intelligence.

    The Custom Intelligence screen appears.

  2. Click the User-Defined Suspicious Objects tab.

    The User-Defined Suspicious Object list appears.

  3. Select one or more objects from the list.
    Note:

    Apex Central does not support analyzing impact for URL objects.

  4. Click Analyze Impact.

    Endpoint Sensor contacts agents and evaluates the agent logs for any detections of the suspicious objects.

    Note:

    Impact analysis times vary depending on your network environment.

  5. Expand the arrow to the left of the Object you want to view.

    • The At Risk Endpoints list displays all endpoints and users still affected by the suspicious object.

      • For File detections, the Latest Action Result column displays the last action result reported from managed products.

      • For all other detection types, the Latest Action Result column displays "N/A".

    • The At Risk Recipients list displays all recipients still affected by the suspicious object.

Parent topic: Preemptive Protection Against Suspicious Objects