Analysis Chains

The Analysis Chains tab displays the root cause analysis and also highlights additional information which might be beneficial to the investigation.



Target Endpoint

Displays details about the endpoint where the root cause chain occurred

Click the endpoint name and user name to view details.

Click Isolate Endpoint to disconnect the endpoint from the network. During isolation, the agent can only communicate with the server.


After resolving the security threats on an isolated endpoint, the following locations on the Directories > Users/Endpoints screen provides options to restore the network connection of an isolated endpoint:

  • Endpoints > All: Click the name of an endpoint in the table, and click Task > Restore on the screen that appears.

  • Endpoints > Filters > Network Connection > Isolated: Select the endpoint row in the table, and click Task > Restore Network Connection.

First Observed Object

Object that most likely created the matched object

This is often the entry point of a targeted attack.

Hover over an object and click to locate the object in the root cause analysis.

Matched Objects

Displays the object or a list of objects matching the investigation criteria

Hover over an object and click to locate the object in the root cause analysis.

Noteworthy Objects

Highlights objects in the chain that are possibly malicious, based on existing Trend Micro intelligence

The value counts the number of unique noteworthy objects in the chain.

Click to view the list of noteworthy objects.

Hover over an object and click to locate the object in the root cause analysis.

Root cause analysis area

Displays the root cause analysis map

The root cause analysis area displays a visual analysis of the objects involved in an event.


If the number of nodes in the root cause chain exceeds the presentation limit, only the main root cause chains are displayed. To avoid this issue, refine the investigation criteria.

To move around, click and drag the area to your preferred direction. This area also provides the following navigation options.



A root cause analysis can contain one or more matched root cause chains.

Click the drop down to view other root cause chains for the selected endpoint.

Click to start a preliminary investigation using the objects in the preliminary investigation list

If there are no objects in the preliminary investigation list, this feature is not available.

To enable this feature, add at least one matched object or noteworthy object to the preliminary investigation list.

Click to enter full screen mode.

Click again to exit full screen mode.

Click to zoom in or zoom out.

Hover to view an explanation of the symbols appearing in the root cause chain

Hover over an object in the root cause analysis area to view additional details. Click an object to display a side panel with the following tabs:

  • The Profile tab shows the details applicable for the selected object type.

    Some objects may show only a limited set of details, or may not have any details available at the time of execution.

    You can further examine objects with "Malicious" ratings in Threat Connect or VirusTotal.

    The tab also displays additional options for Matched Objects and Noteworthy Objects:

    • Terminate Object: Terminates all running instances of the object only on the target endpoint's current state. This action is available only for unrated, malicious, and suspicious "process" type objects. To verify if the command was successful, go to Administration > Command Tracking.

    • Add to Suspicious Objects List: Terminates all running instances of the object only on the target endpoint's current state, and then adds the object to the User-Defined Suspicious Object list. The following object types can be added to the list:

      • File

      • Process

      • IP address

      • DNS


      If Application Control is enabled, processes that match the hash value of objects added to the User-Defined Suspicious Object list are not allowed to run on all endpoints.Endpoint Sensor also terminates "process" type objects before adding them to the list, and Application Control prevents them from starting again.

    • Add to Preliminary Investigation List: Adds the object as criteria for a new preliminary investigation. To start the investigation, click .

  • The Related Objects tab displays all the dependencies of the matched object.

    These are the objects required to run the matched object. This tab displays the following details:




Action done by the object


Date and time of the recorded action


Rating assigned to the object based on Trend Micro intelligence

Affected Endpoints

Affected endpoints, if any

Destination path

Target destination of the object

The following options are available to manage the Related Objects tab:

  • The tab provides a drop down that can filter objects based on the specified action. Click the drop down to view all available actions.

  • Click Show details to view more details about the object.


To export the data, click and perform one of the following:

  • Select Analysis Chains to export all root cause chains as .png files.

  • Select Object Details to export all data as CSV files.