Using Custom Criteria for Threat Investigation

  1. Go to Threat Investigation.
  2. Click New Assessment.
  3. Specify a name and time period for the investigation.
  4. Select Custom criteria.
  5. Select one of the following options:
    • Match any of the following: Find objects matching any of the criteria specified

    • Match all of the following: Find objects matching all criteria specified

  6. Click Add criteria, select a criteria type, and specify valid information.

    For details, see Supported Formats for Custom Criteria.

  7. Click Assess.

    A new investigation task appears in the first row of the assessment list. Allow some time for the investigation to run.

  8. Once the investigation completes, click the number in the Matched Endpoints column to check the results.

    The following details are available:

    Column Name



    Name of the endpoint containing the matching object


    Current connection status of the endpoint

    IP Address

    IP address of the endpoint containing the matching object

    The IP address is assigned by the network

    Operating System

    Operating system used by the endpoint

    Matched Objects

    Number of matched objects found in the investigation

    First Logged

    Date and time when the Endpoint Sensor agent first logged the matched object

  9. To review the sequence of events leading to the execution of the matched object, select the endpoints that require further analysis and click Generate Root Cause Analysis.

    The Generate Root Cause Analysis screen appears.

  10. Specify a name for the root cause analysis and click Generate.
  11. Click the Root Cause Analysis tab to check the results. Allow some time for the task to complete.