Using Custom Criteria for Threat Investigation

  1. Go to DETECTION & RESPONSE > Threat Investigation.
  2. Click Advanced.
  3. Select User-defined.
  4. Specify the data period for the investigation.
  5. Select one of the following options:
    • Match ANY criteria: Find objects matching any of the criteria specified

    • Match ALL criteria: Find objects matching all of the criteria specified

  6. Click New criteria, select a criteria type, and specify valid information.

    For details, see Supported Formats for Custom Criteria.

    To save your criteria for future investigations, click .

  7. (Optional) To load existing custom criteria, click Saved Criteria.
    1. Select the criteria to load.
    2. Click Apply Criteria.
  8. Click Assess Impact.

    The Matched Endpoints section appears. Allow some time for the investigation to run.

  9. Check the results in the Matched Endpoints section.

    The following details are available:

    Column Name



    Name of the endpoint containing the matching object

    IPv4 Address

    IP address of the endpoint containing the matching object

    The IP address is assigned by the network

    Operating System

    Operating system used by the endpoint


    User name of the user logged in when the Security Agent first logged the matched object

    Click the user name to view more details about the user.

    First Seen

    Date and time when the Security Agent first logged the matched object


    Click the icon to open the Match Details screen.

    The Match Details screen displays the following details:

    • Criteria: Criteria used in the assessment

    • First Seen: Date and time when the Security Agent first logged the matched object

    • CLI/Registry Occurrences: Number of matches found in command line or registry entries

      Click the value to show more details.

    • Affected Endpoints: If the rating is malicious, the number of endpoints where a similar match was found

      The count only includes endpoints affected within the last 90 days.

  10. To review the sequence of events leading to the execution of the matched object, select the endpoints that require further analysis and click Generate Root Cause Analysis.

    The Generate Root Cause Analysis screen appears.

  11. Specify a name for the root cause analysis and click Generate.
  12. Click the Root Cause Analysis tab to check the results. Allow some time for the task to complete.