- Go to Response > Detailed Investigation.
- Click the Scheduled Investigation tab.
- Click New Investigation.
- Specify a Name for this investigation.
-
Select a Method based on what
objects need to be matched:
-
Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file
Note:After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.
For more information, see Supported IOC Indicators for Real-Time Investigations.
-
Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file
-
Search registry: registry keys, names and data that match criteria defined by the user
-
-
Click Select Endpoints and
specify which endpoints to include in the investigation.
Note:
The Target Endpoints screen may not show all endpoints selected for the investigation.
-
A user can only view endpoints where he has been granted sufficient access rights.
-
Endpoints running macOS are also not shown. Investigations do not support macOS endpoints as valid investigation targets.
-
-
Specify a schedule for this investigation.
-
Period: Specify a starting and ending date for the investigation. The investigation only runs within the dates provided. The default period is set to one month.
-
Frequency: Specify how often the investigation repeats during the duration of the schedule. The default frequency is set to Daily at 08:00.
-
- Click Start Investigation.
-
To view the results and monitor the progress of scheduled investigations:
- Go to Response > Detailed Investigation.
-
Click the Scheduled
Investigation tab.
For details, see Scheduled Investigation.
-
To view details for each schedule run, click the investigation name to
open the Scheduled Investigation History
screen.
For details, see Reviewing the Scheduled Investigation History.
Views: