Detailed investigations perform the investigation on the current system state. Detailed investigations can be configured to run at specific periods, and also support a wider set of criteria through the use of OpenIOC and YARA rules.
Detailed investigations support the following criteria:
OpenIOC rules: Use OpenIOC rules to scan for all files currently on the disk.
After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.
For more information, see Supported IOC Indicators for Real-Time Investigations.
YARA rules: Use YARA rules to scan all processes currently running in memory.
Root cause analysis results are only available for YARA rules .
Because detailed investigations run on the current system state, some files and registry entries may be locked or in use during this period. Root Cause Analysis results are not available for investigations using OpenIOC rules or registry search. To generate a root cause analysis using OpenIOC rules or registry data, use preliminary investigation.
For details, see Preliminary Investigations.
Search registry: Specify registry keys, names and data to match on the target endpoints.
Investigations are performed only on registry values under the following root keys:
Administrators can specify the type of detailed investigation to run:
A one-time investigation runs only once. The investigation runs immediately after creation.
For details, see Starting a One-time Investigation.
A scheduled investigation can be configured to run automatically at specific intervals.
For details, see Starting a Scheduled Investigation.
Detailed investigations take some time to complete.