Root Cause Analysis Results

To monitor the progress of a root cause analysis task, go to Response > Preliminary Investigation, and click the Root Cause Analysis Results tab.

If an assessment returns a match, administrators may generate a root cause analysis to:

  • List all related objects to the specified criteria

  • Identify if any of the related objects are noteworthy

  • Review the sequence of events leading to the execution of the matched object.

Generating a root cause analysis may take some time to complete.

For details, see Starting a Root Cause Analysis from an Assessment.

The following table lists the investigations details available for review.

Column Name



Progress of the root cause analysis task


Name of the root cause analysis task

Click to open the Analysis Chains and Object Details screens.

For more information, see Analysis Chains.


The task name is not displayed as a link if Endpoint Sensor is unable to generate a root cause analysis, and may be due to the following reasons:

  • The target endpoint has insufficient data.

    Verify that the data has not been purged. If the agent database reaches the maximum database size limit, Endpoint Sensor purges the oldest logs to make space for new event entries. To avoid this issue, specify a larger agent database size.

  • The investigation was unable to find an object that matches all of the conditions specified in the OpenIOC file.

    Assessments ignore all conditions in the OpenIOC file to return the initial results. However, a root cause analysis task adds the conditions back as an additional criteria for the investigation. As a result, the root cause analysis task may be unable to generate results that match both the OpenIOC criteria and its conditions.


Criteria specified for the root cause analysis task

Matched Objects

Number of matching objects found in the endpoint

Click the value to view more details.

Asterisk ( ✱ )

Indicates an endpoint tagged as Important


Name of the endpoint containing the matching object

Click the Endpoint name to view more details about the endpoint.

IP Address

IP address of the endpoint containing the matching object

The IP address is assigned by the network


Date and time when the root cause analysis task was started


Length of time elapsed since starting the task


User who created the task

To delete a root cause analysis task, select an entry in the table and click Delete.