Supported Formats for Custom Criteria

Type

Item

FQDN / IP address / Hostname

Specify the remote endpoint FQDN, IP address, or hostname to identify network connections that the investigated endpoint made

Note:

The IPv6 format is not supported.

Examples:

  • cncserver.com

  • malicioussite.com

  • 192.168.0.1

User name

Specify the name of the Active Directory account or local user

Examples:

  • jane_smith

Note:

Use the local user account name only (<user name>). Do not include the domain name.

File name

Specify the full file name including extension

Example:

  • filename.exe

File hash value

Specify the hash value of a file.

Example:

  • SHA-1: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa
  • SHA-256: D9FCB47915363186AEC3EF3EDAE0D92AC452BFA5A41C81D5E714E45583600561

File directory

Specify the full path excluding file name

Example:

  • c:\windows\system32\wbem\
Note:

Do not include the file name.

Registry key

Specify the full or partial registry key, value name, or value data

Note:
  • Trend Micro only records the activity of important registry locations to reduce the resource impact on the endpoint.

  • Do not specify SID values as registry criteria. Investigations do not support SID values as custom registry criteria.

  • Using registry data as investigation criteria has the following limitations:

    • Each entry must have at least 2 characters.

    • Entries cannot contain spaces.

Examples:

  • Registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • Registry value name

    RunTestExe

  • Registry value data

    "c:\test\run_test.exe" –abc

Registry value name

Registry value data

CLI command

Specify the command line parameters.

Note:

Using command line as investigation criteria has the following limitations:

  • Each entry must have at least 2 characters.

  • Entries cannot contain spaces.

Examples:

  • "C:\7z.exe" a "c:\log\test.7z" "c:\log\test.log"

  • taskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly