Threat Investigation Overview

Note:

This feature requires special licensing.

Threat investigations use server metadata to quickly identify endpoints which are possible candidates for further analysis.

The following table describes the tabs on the Threat Investigation screen.

Tab	Description
Assessment	Use an assessment to perform the following: Evaluate the prevalence of a threat, and how long the threat has been in the network. The assessment goes through all historical data. Determine the existence of a threat using simple criteria. Assessments support only a limited set of criteria. Threat Investigation provides the following types of assessment: Quick: Specify file hash values, IP addresses, or domains in Quick Assessment and click Assess Impact. Advanced: Advanced Assessment supports the following criteria types: Custom criteria: Specify up to ten criteria. For details, see Using Custom Criteria for Threat Investigation. OpenIOC file: Use OpenIOC rules to define investigation criteria. For details, see Using OpenIOC Files for Threat Investigation. (Worry-Free Services Advanced only) To switch to Email Assessment, click Emails. For more information, see Threat Investigation - Email Assessment.
Root Cause Analysis	If an assessment returns a match, administrators may generate a Root Cause Analysis to: List all related objects to the specified criteria Identify if any of the related objects are noteworthy Review the sequence of events leading to the execution of the matched object. Generating a Root Cause Analysis may take some time to complete. Use the Root Cause Analysis tab to monitor the progress of the task. When the task completes, click the number in the Results column to view analysis results.

Tab

Description

Assessment

Use an assessment to perform the following:

Evaluate the prevalence of a threat, and how long the threat has been in the network. The assessment goes through all historical data.
Determine the existence of a threat using simple criteria. Assessments support only a limited set of criteria.

Threat Investigation provides the following types of assessment:

Quick: Specify file hash values, IP addresses, or domains in Quick Assessment and click Assess Impact.
Advanced: Advanced Assessment supports the following criteria types:
- Custom criteria: Specify up to ten criteria.
  
  For details, see Using Custom Criteria for Threat Investigation.
- OpenIOC file: Use OpenIOC rules to define investigation criteria.
  
  For details, see Using OpenIOC Files for Threat Investigation.

(Worry-Free Services Advanced only) To switch to Email Assessment, click Emails.

Root Cause Analysis

If an assessment returns a match, administrators may generate a Root Cause Analysis to:

Generating a Root Cause Analysis may take some time to complete. Use the Root Cause Analysis tab to monitor the progress of the task.

When the task completes, click the number in the Results column to view analysis results.