Investigations locate occurrences of a suspicious object in specified endpoints. They are used to assess the extent of damage caused by targeted attacks on endpoints and servers. They also provide information on the arrival and progression of an attack. This information is useful in planning an effective security incident response.

Endpoint Sensor classifies investigations according to source:

  • A Historical records investigation performs the investigation on historical events. Historical records are useful in analyzing the timeline of an attack.

  • A System snapshot investigation performs the investigation on the target's current state.

To start an investigation using your preferred source, click Investigation, and select New Investigation under the correct classification.