Investigating rule matches


When Reveal finds a match to a rule, the Rules and Rule sets pages update to show a breakdown of all endpoints affected by the rule according to how many matches occur on that endpoint. You can further investigate the details of the match. Each rule displays information about the number of endpoints on which matches have been detected. You can create a Trace live connection to the endpoint and drill down to perform further analysis. You can investigate the number of matches across the endpoints over time, and filter the matches by computer group or keywords.

From the Rules page, you can investigate the affected endpoints, and files where matches are detected when a rule match occurs.

Investigate by endpoint

  1. From the Reveal menu, click Rules.
  2. Click a rule that has matches that you want to investigate.

  3. Reveal displays the endpoints where matches have occurred.
  4. Select an endpoint and click Create Connection. A live connection is opened to the endpoint. When the endpoint connection displays as Active, click the endpoint name to view files that contain matches.

  5. Click an endpoint to view files that contain rules matches. For files where matches have occurred, the file name, Rule ID, Number of hits, date modified, size, and path are displayed.

Last updated: 1/16/2019 11:57 AM | Feedback