Root Cause Chain

The Root Cause Chain screen displays a visual analysis of the objects involved in an event.

The following example shows the root cause chain for a Retro Scan investigation. The investigation tries to locate all objects that use the file name notepad.

  1. Review the root cause chain.

    The root cause chain may contain multiple results for one endpoint. The root cause chain uses icons to represent the objects by type.

    For details, see Root Cause Chain Icons.

    The following objects are shown in red:

    • The matched object. This is the object that meets the search criteria set by the investigation.

    • All the dependencies of the matched object. These are the objects required to run the matched object.

    All other objects in the chain (that did not contribute to the execution of the matched object) are shown in blue. Objects that branch out of the matched object are also shown in blue.

  2. Review all the objects (both red and blue). If one of the objects appears suspicious, select the object and perform any of the following:
    • Use the tooltip on the left to review the details of the selected object. These details come from the Object List screen. For details, see Recorded Objects.

    • Use the following options on the right to manage the objects shown in the root cause chain:
      Table 1. Customization Options for the Root Cause Chain
      Option Description

      Get more

      Appends a new branch to the selected object

      Expand

      Expands the selected object to show objects affected further down the chain

      Expand All

      Expands all the branches in the root cause chain to show objects affected further down the chain

      Collapse

      Hides the expanded branch of the selected object. This option appears only if the object has an expanded branch

      Collapse all

      Hides all the expanded branches. This option appears only if at least one object has an expanded branch.

    • Use the following options on the right to collect objects for later investigation by adding them to the Interested Objects list.
      Table 2. Options for Interested Objects
      Option Description

      Add to interested objects list

      Adds the object as a new item in the Interested Objects list

      Remove from interested objects list

      Removes the object from the Interested Objects list

      Remove from root cause chain

      Unmarks the object as suspicious and turns the icon blue

      Add to root cause chain

      Marks the object as suspicious and turns the icon red

      To add or remove objects from the Interested Objects list, click Actions.

  3. Once the suspicious files have been narrowed down, initiate a new investigation.
    • To initiate an investigation for a single object, click the object and select Investigate further. This initiates a new investigation using the selected object as a search condition.

    • To initiate an investigation for the Interested Objects list, select at least one object, and click Actions. From the options, select Investigate further to initiate an investigation that uses all the selected objects in the list.

  4. The new investigation creates another root cause chain. Repeat the review until the analysis is complete.
Note:

Use the following options to navigate the root cause chain:

  • Use the Contents list to view all objects shown in red. The objects are organized according to the root cause chain they belong to. Click an item in the Contents list to center that item on the root cause chain area.

  • To increase the space available for the root cause chain area, click and to hide the Interested Objects and the Contents list respectively.

  • Use the Current Screen to determine the location of the object in relation to the area of the root cause chain.
    • The gray box represents the full area of the root cause chain. This box expands as more branches are added to the initial root cause chain.

    • The box with the blue outline represents the current area being viewed. If the screen is resized, this box resizes to match the new screen size.