To perform an investigation on the current system state, use Detailed Investigation.
For details, see Starting a One-time Investigation.
Match all of the following: Find objects matching all criteria specified
Match any of the following: Find objects matching any of the criteria specified
For details, see Supported Formats for Custom Criteria.
To manage the criteria:
Click Reset to clear all specified criteria.
To save the criteria for future
investigations, click and specify a criteria name.
Preliminary investigations support a maximum of 10 saved custom criteria.
Applying existing criteria overwrites any criteria currently specified.
To manage the criteria:
Items in this list can be sorted by the Last Used column.
To delete a saved criteria, click the Delete icon.
Applying existing criteria overwrites any criteria currently specified.
Click Period to filter the C&C callback events by the specified time.
The Log Query screen provides additional details about C&C callback events in case you need to review them before selection. To go to the Log Query screen, navigate to Detections > Logs > Log Query, and then filter by Network Events > C&C Callback.
Assess data within the last 90 days: Runs the assessment on data recorded within the last 90 days only. Results are usually available after a few seconds.
Assess all data: Runs the assessment on all data recorded. Assessing all data may take some time to complete.
Allow some time for the preliminary investigation to run. The investigation appends more rows to the results table as soon as matching objects are found in the metadata. It may take a few minutes for the investigation to complete.
Hover over the Endpoints: label to display a popup that displays the progress of the assessment.
The data available during Preliminary Investigations is a subset of Security Agent data and only includes information about high risk file types. If an assessment returns no results, you may want to perform a Detailed Investigation.
The following details are available:
Column Name |
Description |
---|---|
Endpoint |
Name of the endpoint containing the matching object Click to view more details about the endpoint. |
Status |
Current connection status of the endpoint |
IP Address |
IP address of the endpoint containing the matching object The IP address is assigned by the network |
Operating System |
Operating system used by the endpoint |
User |
User name of the user logged in when the Endpoint Sensor agent first logged the matched object Click the user name to view more details about the user. |
Managing Server |
Server that manages the affected endpoint |
First Logged |
Date and time when the Endpoint Sensor agent first logged the matched object |
Details |
Click the icon to open the Match Details screen. The Match Details screen displays the following details:
|
Asterisk ( ✱ ) |
Indicates an endpoint tagged as Important |
The preliminary investigation results may include macOS endpoints. Since there are no actions available for macOS endpoints, the check boxes for these endpoints are disabled.
Action |
Description |
---|---|
Generate Root Cause Analysis |
Generates a root cause analysis to review the sequence of events leading to the execution of the matched object. For details, see Starting a Root Cause Analysis from an Assessment. |
Start Detailed Investigation |
Runs a new investigation with the same criteria on the current system state. The Detailed Investigation screen appears and initiates a new one-time investigation using the existing criteria. For assessments using custom criteria, Detailed Investigation uses only the selected endpoints as criteria For details, see Starting a One-time Investigation. |
Isolate Endpoints |
Disconnects the selected endpoints from the network. Note:
After resolving the security threats on an isolated endpoint, the following locations on the Directories > Users/Endpoints screen provides options to restore the network connection of an isolated endpoint:
|