Supported Formats for Custom Criteria

Type	Item
FQDN / IP address / Hostname	Specify the remote endpoint FQDN, IP address, or hostname to identify network connections that the investigated endpoint made Note: The IPv6 format is not supported. Examples: cncserver.com malicioussite.com 192.168.0.1
User name	Specify the name of the Active Directory account or local user Examples: jane_smith Note: Use the local user account name only (<user name>). Do not include the domain name.
File name	Specify the full file name including extension Example: filename.exe
File hash value	Specify the hash value of a file. Example: `SHA-1: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa` `SHA-256: D9FCB47915363186AEC3EF3EDAE0D92AC452BFA5A41C81D5E714E45583600561`
File directory	Specify the full path excluding file name Example: c:\windows\system32\wbem\ Note: Do not include the file name.
Registry key	Specify the full or partial registry key, value name, or value data Note: Trend Micro only records the activity of important registry locations to reduce the resource impact on the endpoint. Do not specify SID values as registry criteria. Investigations do not support SID values as custom registry criteria. Using registry data as investigation criteria has the following limitations: Each entry must have at least 2 characters. Entries cannot contain spaces. Examples: Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry value name RunTestExe Registry value data "c:\test\run_test.exe" –abc
Registry value name
Registry value data
CLI command	Specify the command line parameters. Note: Using command line as investigation criteria has the following limitations: Each entry must have at least 2 characters. Entries cannot contain spaces. Examples: "C:\7z.exe" a "c:\log\test.7z" "c:\log\test.log" taskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly