Running an Investigation

On the New Investigation screen, perform the following steps.

Specify a unique Name for the investigation.
Specify a Period.
Endpoint Sensor performs the investigation on events that occurred during the period specified. The following options are available:
- All logged dates performs the investigation on all data, regardless of date.
- Custom range limits the investigation to a specific time period.
Select a Target.
Endpoint Sensor performs the investigation on all endpoints by default. However, to perform the investigation on specific endpoints only, click to show the Select Targets screen. This screen allows you to choose which endpoints to include in the investigation.

For details, see Selecting Targets.
Specify Tags.
Tags are user defined strings used to identify this investigation. Type multiple tags by separating each individual tag with a comma. These tags appear in the Results screen table and are useful in locating your investigation later.
Specify a Schedule to set how often the investigation repeats.
The following options are available:
- Run Once: The investigation runs only once.
- Repeat: The investigation starts on the specified Start date and repeats on a daily, weekly or monthly basis, until the specified End date is reached.
  
  For details, see Adding a Schedule.
Select an investigation method and specify valid criteria.
- For methods applicable for Historical Records, see Investigating Historical Records.
- For methods applicable for System Snapshot, see Investigating System Snapshots.

Once the investigation starts, Endpoint Sensor updates the following screens:

The investigation is added to the Results screen.

For details, see Investigation Results.
If the investigation recurrence has been set to Repeat, the given schedule name appears in the Schedule screen.

For details, see Managing Schedules.
Data from finished investigations is added to the Dashboard screen.

For details, see Dashboard.