Threat Event Logs

Threat Event Logs

Threat Mitigator creates a threat event log entry when performing mitigation actions.

You can do the following from the Threat Event Logs screen:

• View the threat event logs

• Export the logs to a .csv file.

• Perform rollback to restore files, registry keys, and other changes performed during mitigation

To query the Threat Event logs:

• Logs > Threat Event Logs

1. Select a time period for the query:

• By default, the All days option time period appears in the selection.

• By default, the date and time of the most recent logs appear in the To and From fields. Accept the default settings or specify the beginning and ending dates by clicking the calendar icon next to each field.

2. Click More search criteria to refine the query scope. Select from the following criteria:

   Additional search criteria

   Search Criteria	Description
   IP address range	A range of IP addresses for endpoints
   Host name	The endpoint’s host name Host names may not display properly due to encoding language conflicts, which can be resolved by configuring host name encoding in the Log Settings screen. For details, see Log Settings.
   Threat event	Includes the following threat-related events logged by Threat Mitigator or Threat Management Agent: Threat detection (from security risk logs): A threat was detected after analyzing logs from endpoint security software such as OfficeScan User-initiated On-demand Scan: A user launched On-demand Scan on an agentless endpoint Agent post-installation scan: The endpoint was scanned immediately after the agent was installed Custom pattern <x> deployment: The specified custom pattern was deployed to an endpoint Administrator-initiated On-demand Scan: You launched On-demand Scan remotely from the Threat Management screen Post-assessment cleanup: The agent assessed the endpoint for threats and then performed cleanup Forensic data collection: The agent collected forensic data from the endpoint because there are unresolved threats after post-assessment cleanup Threat-related events not listed in this document but are appearing in the web console are events that Threat Discovery Appliance reports to Threat Mitigator.
   Data source	Entities or tasks that generate threat event information, including: Threat Discovery Appliance Threat Management Services Portal Security risk logs Cleanup using custom pattern On-demand Scan (user-initiated, with agent) On-demand Scan (user-initiated, agentless) On-demand Scan (administrator-initiated) Agent post-installation scan
   Mitigation status	Threat events grouped by the following status groups: All: Includes every mitigation status. Mitigation in progress: The mitigation task is running. No mitigation: The mitigation task was not performed because of a mitigation exception. Unsuccessful: The mitigation task was not completed or encountered problems. Resolved threats: All or selected threats have been resolved. Assessed endpoint: The agent detected threats in the endpoint during assessment but did not run cleanup because you have chosen to run cleanup manually. Rollback successful: A mitigation task was rolled back successfully. Rollback unsuccessful: A mitigation task was not rolled back. Scanned endpoint: On-demand Scan has been completed. Either no threat was found or the user chose to ignore all detected threats. For mitigation status details, see Mitigation Status.

3. Click Search. A Query Result table appears.

4. To view threat event details, click a link under the Mitigation Status column. For details, see Mitigation Status.

5. To undo mitigation tasks, select one or several endpoints and then click Rollback.

6. To export the query results, click Export to CSV.

See also:

• System Logs

• Log Maintenance

• Log Settings

• Debug Information

• Threat Mitigation

• Mitigation Tasks

• On-demand Scan