Scanning endpoints

The engine scans each endpoint using the intel documents and Signals that you defined. The engine can perform background scans, quick scans, and live Signals monitoring through the recorder. Background scans begin shortly after intel is deployed to the endpoint and continue on regular intervals. Quick scans are initiated on demand, typically when you need to urgently locate all instances of a potential compromise.

A scan can have three possible results:

  • Match: Identifies potential compromise and generates alerts.
  • No match: None of the intel matched the data on the endpoints.
  • Inconclusive: Generally, an indication that the scan did not complete for some reason.

When a scan finds a match, the alert is gathered from the endpoint and reported to Threat Response. From there, you can further investigate the endpoint.

The two available types of scans are background scans and quick scans. Background scans and quick scans are complementary; background scans are run on a schedule for all intel. Quick scans are immediate; they are intended for use cases such as testing or piloting new intel. In this way, you can test the results of specific intel with a quick scan and when the intel is revised appropriately to ensure it generates the intended alerts can be scanned on a routine basis through background scans.

Background scans

Background scans run automatically on an interval specified by the engine configuration. The default is 24 hours. When a scan is due to run, the engine first checks the last scan to see if the scan was interrupted. If the scan was interrupted, the engine resumes the scan instead of starting a new scan. The scan details must be the same; such as the active configuration id, revision id, and intel revision. If the details do not match, a new scan is started.

To edit the configuration of the engine, see Engine configurations.

Quick scans

Quick scans send a single piece of intel to the endpoints for immediate matching and alert reporting. If the intel is too large, the quick scan option is not available. You can use Signals, OpenIOC, STIX, or YARA intel in a quick scan.

For Signals, you can use quick scans for a seven day historical query on the event recorder database. Quick scan on Signals is also useful when you are authoring Signals. Quick scans are not supported for Signals that contain ancestry object types. For example, ancestry.path.

If a background scan is running at the time the quick scan starts, the background scan pauses and then resumes when the quick scan finishes.

Quick scans have different limits for system level resource consumption - such as disk usage and CPU limit percentages - than background scans. By default, quick scans throttle CPU usage at 25% and disk usage at 50%.

Quick scans are run on endpoints as questions. You can configure quick scans settings in an engine configuration within a specific profile to specify how the quick scan performs on the endpoints contained in computer groups a profile targets. If you do not have an engine configuration as part of a deployed profile, but you do have Threat Response tools deployed, you can still run a quick scan and it uses the default background scan resource limits which throttle CPU usage at 5% and disk usage at 20%.

It is important to consider the thresholds that such a scan implies on the endpoint. When initiating quick scans in succession on shared infrastructure, the capacity to consume high amounts of resources should be considered. For more information, see Managing question and sensor thresholds.

  1. From the Threat Response menu, go to Intel. Click the intel name. Click Actions > Quick Scan.
  2. Select a computer group.
  3. Click Start Scan.

The Threat Response icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. As alerts are generated and gathered asynchronously from the scan, they might display on the Alerts page before the scan completes.