Investigating rule matches

When Reveal finds a match to a rule, the Rules and Rule Sets pages update to show a breakdown of all endpoints affected by the rule according to how many matches occur on that endpoint. You can further investigate the details of the match. Each rule displays information about the number of endpoints on which matches have been detected. You can create a live connection to the endpoint and drill down to perform further analysis. You can investigate the number of matches across the endpoints over time.

From the Rules page, you can investigate the affected endpoints, and files where matches are detected when a rule match occurs.

Investigate by endpoint

  1. From the Reveal menu, click Rules.
  2. Click a rule that has matches that you want to investigate.

  3. Under Results, Reveal displays the endpoints where matches have occurred.

  4. Select up to five endpoints and click Connect. A live connection is opened to the selected endpoints. When an endpoint connection state displays as Active, click the endpoint name to view files that contain matches.
  5. For files where matches have occurred, the file name, number of hits, and path are displayed.
  6. Click an affected file to view snippets that show pattern matches in context.

When validations have been validated or invalidated, values in the No validation hits and Valid hits columns on the Affected Files - <Computer Name> page for any rule where patterns have been matched and validated display in orange. Orange indicates that the data is "stale"; meaning that new validation data exists. If a file is designated as stale, it is prioritized for rescanning. When no new validation data exists, the values display in black.

For more information about validations, see Validating pattern matches.