Threat Event Logs

Threat Event Logs

Threat Mitigator creates a threat event log entry when performing mitigation actions.

You can do the following from the Threat Event Logs screen:

  1. Select a time period for the query:

  2. Click More search criteria to refine the query scope. Select from the following criteria:

    Additional search criteria

    Search Criteria

    Description

    IP address range

    A range of IP addresses for endpoints

    Host name

    The endpoint’s host name

    • Host names may not display properly due to encoding language conflicts, which can be resolved by configuring host name encoding in the Log Settings screen. For details, see Log Settings.

    Threat event

    Includes the following threat-related events logged by Threat Mitigator or Threat Management Agent:

    • Threat detection (from security risk logs): A threat was detected after analyzing logs from endpoint security software such as OfficeScan

    • User-initiated On-demand Scan: A user launched On-demand Scan on an agentless endpoint

    • Agent post-installation scan: The endpoint was scanned immediately after the agent was installed

    • Custom pattern <x> deployment: The specified custom pattern was deployed to an endpoint

    • Administrator-initiated On-demand Scan: You launched On-demand Scan remotely from the Threat Management screen

    • Post-assessment cleanup: The agent assessed the endpoint for threats and then performed cleanup

    • Forensic data collection: The agent collected forensic data from the endpoint because there are unresolved threats after post-assessment cleanup

    • Threat-related events not listed in this document but are appearing in the web console are events that Threat Discovery Appliance reports to Threat Mitigator.

    Data source

    Entities or tasks that generate threat event information, including:

    • Threat Discovery Appliance

    • Threat Management Services Portal

    • Security risk logs

    • Cleanup using custom pattern

    • On-demand Scan (user-initiated, with agent)

    • On-demand Scan (user-initiated, agentless)

    • On-demand Scan (administrator-initiated)

    • Agent post-installation scan

    Mitigation status

    Threat events grouped by the following status groups:

    • All: Includes every mitigation status.

    • Mitigation in progress: The mitigation task is running.

    • No mitigation: The mitigation task was not performed because of a mitigation exception.

    • Unsuccessful: The mitigation task was not completed or encountered problems.

    • Resolved threats: All or selected threats have been resolved.

    • Assessed endpoint: The agent detected threats in the endpoint during assessment but did not run cleanup because you have chosen to run cleanup manually.

    • Rollback successful: A mitigation task was rolled back successfully.

    • Rollback unsuccessful: A mitigation task was not rolled back.

    • Scanned endpoint: On-demand Scan has been completed. Either no threat was found or the user chose to ignore all detected threats.

    • For mitigation status details, see Mitigation Status.

  3. Click Search. A Query Result table appears.

  4. To view threat event details, click a link under the Mitigation Status column. For details, see Mitigation Status.

  5. To undo mitigation tasks, select one or several endpoints and then click Rollback.

  6. To export the query results, click Export to CSV.

See also: