The engine scans each endpoint using the intel documents and signals that you defined. The engine can perform background scans, quick scans, and live signals monitoring through the recorder. Background scans begin shortly after intel is deployed to the endpoint and continue on regular intervals. Quick scans are initiated on demand, typically when you need to urgently locate all instances of a potential compromise.
A scan can have three possible results:
- Match: Identifies potential compromise and generates alerts.
- No match: None of the intel matched the data on the endpoints.
- Inconclusive: Generally, an indication that the scan did not complete for some reason.
When a scan finds a match, the alert is gathered from the endpoint and reported to Threat Response. From there, you can further investigate the endpoint.
Background scans run automatically on an interval specified by the engine configuration. The default is 24 hours. When a scan is due to run, the engine first checks the last scan to see if the scan was interrupted. If the scan was interrupted, the engine resumes the scan instead of starting a new scan. The scan details must be the same; such as the active configuration id, revision id, and intel revision. If the details do not match, a new scan is started.
To edit the configuration of the engine, see Engine configurations.
Quick scans send a single piece of intel to the endpoints for immediate matching and alert reporting. If the intel is too large, the quick scan option is not available. You can use Signals, OpenIOC, STIX, or YARA intel in a quick scan.
For signals, you can use quick scans for a seven day historical query on the event recorder database. Quick scan on signals is also useful when you are authoring signals.
If a background scan is running at the time the quick scan starts, the background scan pauses and then resumes when the quick scan finishes.
- From the Threat Response menu, go to Intel. Click the intel name. Click Quick Scan.
- Select a computer group.
- Click Start Scan.
The Threat Response icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. As alerts are generated and gathered asynchronously from the scan, they might display on the Alerts page before the scan completes.
Last updated: 2/15/2019 10:34 AM | Feedback