Endpoint: Workflow of an Endpoint Investigation

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Sep 5, 2019
Version 6Show Document
  • View in full screen mode
 

This guide provides the information needed to conduct an investigation that is focused on endpoint data from configured hosts. Analysts who conduct analysis using Investigate need to have the appropriate system roles and permissions set up for their user accounts. An administrator must configure roles and permissions as described in Roles and Permissions for Endpoint Analysts. For more information on roles and permissions, see the System Security and User Management Guide.

To hunt for information on hosts that have the agent running, begin the investigation in the Hosts view (INVESTIGATE > Hosts). For every host, you can see processes, drivers, DLLs, files (executables), services, anomalies, and autoruns that are running, and information related to logged-in users. (See Investigating Hosts.)

You can begin the investigation on files in your deployment in the Files view (INVESTIGATE > Files). (See Investigating Files.)

Note: To access the Hosts and Files views, you must have the endpoint-server.filter.manage permission.

Analysts use the Hosts and Files views to investigate or perform analysis on hosts or files using attributes such as IP address, host name, Mac address, risk score, and so on. This figure shows the high-level capabilities of an endpoint investigation. The top box are all the possible starting points, and the lower box shows the tasks that you can accomplish from different starting points.

Workflow of an Endpoint Investigation

Previous Topic:Introduction
You are here
Table of Contents > Workflow of an Endpoint Investigation

Attachments

    Outcomes