Using the Endpoint Sensor Investigation Widget

  1. Open the Control Manager management console.
  2. Go to the tab where the Endpoint Sensor Investigation widget has been added.
  3. In the Endpoint Sensor Investigation widget, click Start a New Investigation , and then click Historical Records or System Snapshot, depending on the type of investigation you plan to run.
  4. In the screen that appears, specify the required information.

    For details, see Running an Investigation.

    The Endpoint Sensor Investigation widget also supports importing C&C callback events as investigation criteria.

    1. On the Endpoint Sensor Investigation widget, click Start a New Investigation > Historical Records.
    2. Select Retro Scan as the investigation method.
    3. Click Import from C&C Callback Events.
    4. On the screen that appears, select the C&C callback events that need to be investigated, and click OK. The events will be added as investigation criteria.
  5. Click Investigate.

    The screen refreshes and displays the progress of the investigation.

    Note:

    To stop an ongoing investigation, click Cancel.

  6. Once the investigation is finished, the widget shows the number of endpoints classified as Matched, Safe, Pending or Cancelled during the investigation. Click the result of each classification to view more details.