Standard Endpoint Investigation Workflow

Objective: To determine if a file is safe or malicious, find out who has it, and confirm if security controls (Antivirus) took action.

Punch 1: The Inventory Hunt (Scope & Presence)

• Tool: Enterprise Endpoint Management (e.g., Tanium)
• Goal: Find out if the file exists on the network and how many machines are affected.
• Action: 1. Navigate to the Search/Interact bar. 2. Type: Get Index Query File Details contains [MD5_HASH] 3. Select the Enhanced Search suggestion and click Ask Question.
• The Check: * High Count (1,000+): Likely a standard, authorized company application.
  • Low Count (1-5): Isolated or “One-Off” file; requires deeper investigation.

---

Punch 2: The Reputation Check (Global Intel)

• Tool: Public Threat Intelligence (e.g., VirusTotal)
• Goal: See what the global security community knows about this file’s DNA.
• Action: 1. Go to the reputation engine website. 2. Search by Hash (Never upload the actual file to a public site).
• The Check: * Detection Ratio: If multiple engines flag it (e.g., 15/70), treat it as a threat.
  • The Signature: Find the Microsoft detection name (e.g., Win32/Trojan.Generic). Copy this for your log audit.

---

Punch 3: The Log Audit (Security Action)

• Tool: SIEM (e.g., Splunk)
• Goal: Verify if the internal Antivirus (AV) actually saw and stopped the file.
• Action: 1. Open the Security Event Console. 2. If the ticket isn’t listed, run a manual search: index=<INTERNAL_AV_INDEX> "[MD5_HASH]"
• The Check: * Look for the action_type field.
  • Quarantined/Blocked: The “Security Guard” caught the intruder.
  • Allowed/Detected: The file was seen but not stopped. If the Reputation (Punch 2) was bad, escalate this immediately.

---

Investigation Summary Checklist

• [ ] Inventory: Did I find the computer name and file path?
• [ ] Reputation: Does the world think this file is “Naughty” or “Nice”?
• [ ] Audit: Did our internal security tools take the correct action?