Threat Investigation Overview

Use Threat Investigation to locate suspicious objects in the network.

If the network is the target of an ongoing attack or an APT, a threat investigation can:

  • Assess the extent of damage caused by the targeted attack

  • Provide information on the arrival and progression of the attack

  • Aid in planning an effective security incident response

The following types of threat investigation are available:

  • Preliminary investigations can quickly identify endpoints which are possible candidates for further analysis. A preliminary investigation uses server metadata to quickly return results.

    For more information, see Preliminary Investigations.

  • Detailed investigations perform the investigation on the current system state. Detailed investigations can be configured to run at specific periods, and also support a wider set of criteria through the use of OpenIOC and YARA rules.

    For more information, see Detailed Investigations.