Preliminary Investigations

Preliminary investigations can quickly identify endpoints which are possible candidates for further analysis. A preliminary investigation uses server metadata to quickly return results.

To access this screen, go to Response > Preliminary Investigation.

The Preliminary Investigation screen has two tabs:




Use an assessment to perform the following:

  • Evaluate the prevalence of a threat, and how long the threat has been in the network. The assessment goes through all historical data.

  • Determine the existence of a threat using simple criteria. Assessments support only a limited set of criteria.

An assessment supports the following criteria types:

The assessment goes through the server metadata and updates the result pane as soon it finds a match. It may take a few minutes to completely go through the server metadata.

For details, see Using Custom Criteria for Preliminary Investigation.

Root Cause Analysis Results

If an assessment returns a match, administrators may generate a root cause analysis to:

  • List all related objects to the specified criteria

  • Identify if any of the related objects are noteworthy

  • Review the sequence of events leading to the execution of the matched object.

Generating a root cause analysis may take some time to complete. Use the Root Cause Analysis tab to monitor the progress of the task.

For details, see Starting a Root Cause Analysis from an Assessment.