Using OpenIOC Files for Threat Investigation

  1. Go to DETECTION & RESPONSE > Threat Investigation.
  2. Click Advanced.
  3. Select OpenIOC file.
    Note:

    Using OpenIOC files in Historical Investigations has the following limitations:

    • Only one OpenIOC file can be loaded at a time.

    • The only supported condition is IS. Entries using other conditions are ignored and marked with a strikethrough.

    • The only supported indicators are the indicators that are applicable to the collected metadata. Entries using unsupported indicators are ignored and marked with a strikethrough.

      For details, see Supported IOC Indicators.

  4. Specify the data period for the investigation.
  5. To upload and investigate using a new OpenIOC file:
    1. Click Upload OpenIOC File.
    2. Select a valid OpenIOC file.
    3. Click Open.
  6. To investigate using an existing OpenIOC file:
    1. Click Use Existing OpenIOC File.
    2. Select a file.
    3. Click Apply.
  7. Click Assess Impact.

    The Matched Endpoints section appears. Allow some time for the investigation to run.

  8. Check the results in the Matched Endpoints section.

    The following details are available:

    Column Name

    Description

    Endpoint

    Name of the endpoint containing the matching object

    IPv4 Address

    IP address of the endpoint containing the matching object

    The IP address is assigned by the network

    Operating System

    Operating system used by the endpoint

    User

    User name of the user logged in when the Security Agent first logged the matched object

    Click the user name to view more details about the user.

    First Seen

    Date and time when the Security Agent first logged the matched object

    Details

    Click the icon to open the Match Details screen.

    The Match Details screen displays the following details:

    • Criteria: Criteria used in the assessment

    • First Seen: Date and time when the Security Agent first logged the matched object

    • CLI/Registry Occurrences: Number of matches found in command line or registry entries

      Click the value to show more details.

    • Affected Endpoints: If the rating is malicious, the number of endpoints where a similar match was found

      The count only includes endpoints affected within the last 90 days.
  9. To review the sequence of events leading to the execution of the matched object, select the endpoints that require further analysis and click Generate Root Cause Analysis.

    The Generate Root Cause Analysis screen appears.

  10. Specify a name for the root cause analysis and click Generate.
  11. Click the Root Cause Analysis tab to check the results. Allow some time for the task to complete.
Parent topic: Threat Investigation