Procedure
- Go to .
- Click the One Time Investigation tab.
- Click New Investigation.
- Specify a Name for this investigation.
- Select a Method based on what
objects need to be matched:
-
Scan disk files using OpenIOC: objects on the disk that match the rules provided in an OpenIOC file
Note
After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.For more information, see Supported IOC Indicators for Live Investigations. -
Scan in-memory processes using YARA: objects currently in memory that match the rules provided in a YARA file
-
Search registry: registry keys, names and data that match criteria defined by the user
-
- Click Select Endpoints and
specify which endpoints to include in the investigation.
Note
The Target Endpoints screen may not show all endpoints selected for the investigation.-
A user can only view endpoints where he has been granted sufficient access rights.
-
Only available for Security Agents installed on Windows platforms.
-
- Click Start Investigation.
- To view the results and monitor the progress of one-time investigations:
- Go to .
- Click the One Time Investigation
tab.For details, see One-Time Investigation.