Views:

Type

Item

Host

Endpoint name: Specify an endpoint name

FQDN: Specify a Fully Qualified Domain Name accessed by an endpoint.

Examples:

  • cncserver.com

  • malicioussite.com

IP address: Specify an IPv4 address accessed by an endpoint.

Example:

  • 192.168.0.1

    Note:

    The IPv6 format is not supported.

User account

Specify the name of the Active Directory account or local user.

Examples:

  • jane_smith

Note:

Use the local user account name only (<user name>). Do not include the domain name.

File name

Specify the full file name and file extension.

Example:

  • filename.exe

File path

Specify the full path.

Example:

  • c:\windows\system32\wbem\
Note:

Do not include the file name.

Hash value

Specify the hash value of a file.

Example:

  • SHA-1: a2da9cda33ce378a21f54e9f03f6c0c9efba61fa
Note:

Endpoint Sensor records SHA-1 values only by default. To use SHA-256 or MD5 hash values, update the agent policy to include additional hash types.

Registry key

Specify the full or partial registry key, name or data.

Note:

  • The criteria is matched against autorun registry entries only.

  • Do not specify SID values as registry criteria. Investigations do not support SID values as custom registry criteria.

  • Using registry data as investigation criteria has the following limitations:

    • A criteria can contain up to 10 entries.

    • Each entry must have at least 2 characters.

    • Entries cannot contain spaces.

Registry name

Registry data

Command line

Specify the command line parameters, and press ENTER to add an entry.

Note:

Using command line as investigation criteria has the following limitations:

  • A criteria can contain up to 10 entries.

  • Each entry must have at least 2 characters.

  • Entries cannot contain spaces.
Parent topic: Using Custom Criteria for Preliminary Investigation