Views:

Procedure

  1. Go to ResponseLive Investigation.
  2. Click the One Time Investigation tab.
  3. Click New Investigation.
  4. Specify a Name for this investigation.
  5. Select a Method based on what objects need to be matched:
    • Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file
      Note
      Note
      After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.
    • Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file
    • Search registry: registry keys, names and data that match criteria defined by the user
  6. Click Select Endpoints and specify which endpoints to include in the investigation.
    Note
    Note
    The Target Endpoints screen may not show all endpoints selected for the investigation.
    • A user can only view endpoints where he has been granted sufficient access rights.
    • Only available for Security Agents installed on Windows platforms.
  7. Click Start Investigation.
  8. To view the results and monitor the progress of one-time investigations:
    1. Go to ResponseLive Investigation.
    2. Click the One Time Investigation tab.
      For details, see One-Time Investigation.