Starting a One-time Investigation

  1. Go to Response > Detailed Investigation.
  2. Click the One Time Investigation tab.
  3. Click New Investigation.
  4. Specify a Name for this investigation.
  5. Select a Method based on what objects need to be matched:

    • Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file

      Note:

      After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.

      For more information, see Supported IOC Indicators for Real-Time Investigations.

    • Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file

    • Search registry: registry keys, names and data that match criteria defined by the user

  6. Click Select Endpoints and specify which endpoints to include in the investigation.
    Note:

    The Target Endpoints screen may not show all endpoints selected for the investigation.

    • A user can only view endpoints where he has been granted sufficient access rights.

    • Endpoints running macOS are also not shown. Investigations do not support macOS endpoints as valid investigation targets.

  7. Click Start Investigation.
  8. To view the results and monitor the progress of one-time investigations:
    1. Go to Response > Detailed Investigation.
    2. Click the One Time Investigation tab.

      For details, see One-Time Investigation.

Parent topic: Detailed Investigations