Views:
Use the Investigation Results screen to get a quick overview of the investigation results. This screen is accessible from the following locations:
  • On the One Time Investigation tab, click the investigation Name.
  • On the Scheduled Investigation tab, click the investigation Name, and then click a value in the Matched Endpoints column.
This screen displays the following information:
  • A doughnut chart that shows the number of total endpoints already classified as Matched, No Match, Queued or Cancelled
    A summary of the totals is given on the left of the chart. This summary updates in real time as the investigation progresses.
    Icon
    Label
    Description
    circle-red=GUID-17CE6D87-9463-4085-A09D-C0BF47120193=1=en-us=Low.png
    Matched
    Number of investigated endpoints containing a matching object
    circle-green=GUID-17A7A4AC-2C6E-4F36-99F9-DDBE1F95A843=1=en-us=Low.png
    No match
    Number of investigated endpoints that did not have a matching object
    circle-blue-120=GUID-571BBFC6-8DAE-47E5-A070-333B17FBCDBC=1=en-us=Low.png
    Queued
    Number of endpoints still to be investigated.
    An investigation is complete once there are no more queued endpoints to investigate.
    circle-grey=GUID-F2F8864C-5529-4A9C-B095-1C17A2CC281C=1=en-us=Low.png
    Cancelled
    Number of endpoints not investigated.
    This may be due to user cancellation, system error, or endpoint timeout.
  • Parameters used when the investigation was created.
    Click Criteria to review the search conditions used by the investigation.
  • A table of results which provides more details about each endpoint included in the investigation.
    This table groups the endpoints into tabs based on the investigation status. This table displays the following details:
    Column Name
    Description
    Asterisk (*)
    Indicates an endpoint tagged as Important
    Endpoint
    Name of the endpoint containing the matching object
    Click the Endpoint name to view more details about the endpoint.
    IP Address
    IP address of the endpoint containing the matching object
    The IP address is assigned by the network.
    Operating System
    Operating system used by the endpoint
    User
    User name of the user logged in when the Endpoint Sensor agent first logged the matched object
    Click the user name to view more details about the user.
    Match Details
    Click to view details of the match.
    Root Cause Analysis
    Click to view the Root Cause Analysis screen.
    Note
    Note
    Root Cause Analysis results are only available for YARA rules.
    Because Live Investigations run on the current system state, some files and registry entries may be locked or in use during this period. Root Cause Analysis results are not available for investigations using OpenIOC rules or registry search.
    Elapsed
    Time elapsed since the investigation started.
Related information