Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file
After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.
For more information, see Supported IOC Indicators for Real-Time Investigations.
Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file
Search registry: registry keys, names and data that match criteria defined by the user
The Target Endpoints screen may not show all endpoints selected for the investigation.
A user can only view endpoints where he has been granted sufficient access rights.
Endpoints running macOS are also not shown. Investigations do not support macOS endpoints as valid investigation targets.
For details, see One-Time Investigation.