Analysis Chains | Trend Micro Service Central

Views:

The Analysis Chains tab displays the Root Cause Analysis and also highlights additional information which might be beneficial to the investigation.

Threat Investigations can correlate information from Endpoint Sensor, Cloud App Security, and Active Directory to display attack information about an endpoint, user account, and possible email attack vectors throughout your network.

Information

Description

Target Endpoint

Displays details about the endpoint that was investigated

Click the endpoint name and user name to view details.

Click Isolate Endpoint to disconnect the endpoint from the network. During isolation, the agent can only communicate with the server.

Note

After resolving the security threats on an isolated endpoint, the following locations on the Directories → Users/Endpoints screen provides options to restore the network connection of an isolated endpoint:

Endpoints → All: Click the name of an endpoint in the table, and click Task → Restore on the screen that appears.
Endpoints → Filters → Network Connection → Isolated: Select the endpoint row in the table, and click Task → Restore Network Connection.

First Observed Object

The first object in the analysis chain suspected to have been responsible for the creation of the investigated object.

This is often the entry point of a targeted attack.

Hover over an object and click

search=GUID-4AC54D99-CE4B-43E1-93F2-B717AFF1EAC5=1=en-us=Low.png

to locate the object in the Analysis Chain.

Matched Objects

Displays the object or a list of objects matching the investigation criteria

Hover over an object and click

to locate the object in the Root Cause Analysis.

Noteworthy Objects

Highlights objects in the chain that are possibly malicious, based on existing Trend Micro intelligence

The value counts the number of unique noteworthy objects in the chain.

Click to view the list of noteworthy objects.

Hover over an object and click

to locate the object in the Analysis Chain.

Root Cause Analysis area

Displays a visual analysis of the objects involved in an event

Note

If the number of nodes in the analysis chain exceeds the presentation limit, only the main analysis chains are displayed. To avoid this issue, refine the investigation criteria.

Click any available node to view more information about the selected object.

For more information on how to interpret Analysis Chains, see:

Object Details: Profile Tab

Note

The Profile tab is the default view if no other tabs are available for a selected object.
Object Details: Related Objects Tab
Email Message Correlation
Navigating the Analysis Chain
Root Cause Analysis Icons

Note

To export the data, click export=GUID-8F04F6E4-5B5D-4C5B-9EAD-5E82284BB174=1=en-us=Low.png

and perform one of the following:

Select Analysis Chains to export all root cause chains as .png files.
Select Object Details to export all data as CSV files.