Detection_Logs

Detection Logs

Each time Threat Discovery Appliance scans the network and detects a threat, it stores the results of the assessment and the status of the scanned computers on the Detection Log. Use this screen to obtain information from these logs.

If you registered Threat Discovery Appliance to Control Manager, Control Manager stores the scan results received from Threat Discovery Appliance.

To query detection logs:

• Logs > Detection Log Query

1. Select the Protocol type. Select more than one protocol by pressing SHIFT and the protocols or CTRL and the selected protocols.

2. Select the Traffic direction. Select from Internal attacks, External detections, or both.

3. Select the Detection type. Select items from Potential security risks, Known security risks, Files not scanned, and Outbreak Containment Services.

• The Constraint met option under Files not scanned refers to the files that exceeded the file scanning limitation.

4. Select Mitigation type of endpoint computers. Select from Mitigated and/or Un-Mitigated.

5. Select the Severity of the security risk. Select from High, Medium, Low, and/or Informational logs.

6. Select the Group name:

• Group name—select from one of the group names in the list

• Specify group name—type the specific group name, including deleted group names

• Removed group—select this option if the group name is not available in the list and you are unable to remember the exact name or if the group name has been deleted

• No group—select this option for those that do not fall under any of the other categories

7. Select the Network Zone. Select from Trusted, Untrusted, and/or No network zone.

8. Specify the Date range or click the calendar icon and select the date you want.

9. Select the IP address(es). Select from All, IP address, or a range of IP addresses.

10. (Optional) Type the MAC Address, Computer Name, and Active Directory Domain Name and Account.

• Computer name and Active Directory domain name and account queries support partial matching.

11. Enable Show executive logs to view only logs with high risks and need immediate action.

12. Click Display Logs. An Event Log table displays at the lower section of the screen.

13. To view details for a particular event, click a link under Date. A new screen opens, with the details for the event. For more information, see Event Details.

14. (Optional) Mouse over the source IP address or destination IP address results and select from Monitored Network, Registered Domain, or Registered Service to add the IP address to the network configuration lists.

15. (Optional) Click Print to print the logs or Export Logs to export the file to a .CSV file.

See also:

• Threat Detections

• Detection Exclusion List

• Detected Files

• Logs

• Log Maintenance