Use the Investigation Results screen to get a quick overview of the investigation results. This screen is accessible from the following locations:
- On the One Time Investigation tab, click the investigation Name
- On the Scheduled Investigation tab, click the investigation Name, and then click a value in the Matched Endpoints column
This screen displays the following information:
-
A doughnut chart that shows the number of total endpoints already classified as Matched, No Match, Queued or Cancelled
A summary of the totals is given on the left of the chart. This summary updates in real time as the investigation progresses.
Icon
Label
Description
Matched
Number of investigated endpoints containing a matching object
No match
Number of investigated endpoints that did not have a matching object
Queued
Number of endpoints still to be investigated.
An investigation is complete once there are no more queued endpoints to investigate.
Cancelled
Number of endpoints not investigated.
This may be due to user cancellation, system error, or endpoint timeout.
-
Parameters used when the investigation was created.
Click Criteria to review the search conditions used by the investigation.
-
A table of results which provides more details about each endpoint included in the investigation.
This table groups the endpoints into tabs based on the investigation status. This table displays the following details:
Column Name
Description
Asterisk ( ✱ )
Indicates an endpoint tagged as Important
Endpoint
Name of the endpoint containing the matching object
Click the Endpoint name to view more details about the endpoint.
IP Address
IP address of the endpoint containing the matching object
The IP address is assigned by the network.
Operating System
Operating system used by the endpoint
User
User name of the user logged in when the Endpoint Sensor agent first logged the matched object
Click the user name to view more details about the user.
Match Details
Click to view details of the match.
Root Cause Analysis
Click to view the Root Cause Analysis screen.
Note:Root cause analysis results are only available for YARA rules .
Because detailed investigations run on the current system state, some files and registry entries may be locked or in use during this period. Root Cause Analysis results are not available for investigations using OpenIOC rules or registry search. To generate a root cause analysis using OpenIOC rules or registry data, use preliminary investigation.
For details, see Starting a Root Cause Analysis from an Assessment.
Elapsed
Time elapsed since the investigation started.