About Event Log Tags

The Tags data column contains "tags" for events related to applications, endpoints, policies, and servers. To learn about tags and their meanings, see the following table:

Table 1. Event Log Tags

Tag

Description

Log Types

application-start

Application start is explicitly allowed or blocked by policy

  • Policy actions

fallback-action

Application start is passively allowed because of missing rule information, an error collecting rule, or application information

  • Policy actions

file-access

Application access is explicitly allowed or blocked by policy

  • Policy actions

log-only

Application start or access is tracked with no actions applied because the log-only mode is enabled

  • Policy actions

lockdown-action

Application start or access is blocked because the application was added to the endpoint after a Lockdown rule was applied

  • Policy actions

multiuser-rule-conflict-action

Application, child-process start, or access is blocked by the policy of another logged on user

  • Policy actions

no-connection-to-server-action

Application start or access is blocked because the application was not explicitly allowed by the policy and the agent is unable to connect to the server to determine if the application should be allowed as matching a Certified Safe Software List package

  • Policy actions

rule-action

Application start is explicitly allowed or blocked by Allow or Block rule

  • Policy actions

safe-match

The application exactly matches its Certified Safe Software List package

  • Known applications

safe-match-loose

Application is found in the Certified Safe Software List, but not as part of its typical application package

  • Endpoint inventories

  • Policy actions

  • Known applications

safe-unchecked

The application is being evaluated against the Certified Safe Software List

  • Endpoint inventories

  • Policy actions

safe-unknown

The application does not match any Certified Safe Software List package

  • Endpoint inventories

  • Policy actions

  • Known applications

safe-version-<version>

For example, "safe-version-01.192"

The application is evaluated against this Certified Safe Software version

  • Endpoint inventories

  • Policy actions

  • Known applications

suspicious-match

The application is identified as a suspicious object based on the suspicious object list synchronized from a Control Manager server

  • Endpoint inventories

  • Known applications

suspicious-block

The application is identified as a suspicious object and blocked

  • Endpoint inventories

  • Known applications

  • Policy actions

suspicious-log

The application is identified as a suspicious object and logged

  • Endpoint inventories

  • Known applications

  • Policy actions

suspicious-user-defined

The application is identified as a suspicious object based on the user-defined suspicious object list in Control Manager

  • Endpoint inventories

  • Known applications

suspicious-virtual-analyzer

The application is identified as a suspicious object based on the Virtual Analyzer suspicious object list in Control Manager

  • Endpoint inventories

  • Known applications

trust-level-medium

The application is explicitly allowed and has a Trusted Source level of Medium

  • Policy actions

trust-level-high

The application is explicitly allowed and has a Trusted Source level of High

  • Policy actions

trust-level-very-high

The application is explicitly allowed and has a Trusted Source level of Very High

  • Policy actions

trusted-source-permanent-action

The application's child-process is temporarily allowed by a Trusted Source level of Medium

  • Policy actions

trusted-source-temporary-action

The application's child-process is permanently allowed by a Trusted Source level of High or Very High

  • Policy actions