Threat Mitigator creates a threat event log entry when performing mitigation actions.
You can do the following from the Threat Event Logs screen:
View the threat event logs
Export the logs to a .csv file.
Perform rollback to restore files, registry keys, and other changes performed during mitigation
To query the Threat Event logs:
Logs > Threat Event Logs
Select a time period for the query:
By default, the All days option time period appears in the selection.
By default, the date and time of the most recent logs appear in the To and From fields. Accept the default settings or specify the beginning and ending dates by clicking the calendar icon next to each field.
Click More search criteria to refine the query scope. Select from the following criteria:
Additional search criteria
IP address range
A range of IP addresses for endpoints
The endpoint’s host name
Host names may not display properly due to encoding language conflicts, which can be resolved by configuring host name encoding in the Log Settings screen. For details, see Log Settings.
Includes the following threat-related events logged by Threat Mitigator or Threat Management Agent:
Threat detection (from security risk logs): A threat was detected after analyzing logs from endpoint security software such as OfficeScan
User-initiated On-demand Scan: A user launched On-demand Scan on an agentless endpoint
Agent post-installation scan: The endpoint was scanned immediately after the agent was installed
Custom pattern <x> deployment: The specified custom pattern was deployed to an endpoint
Administrator-initiated On-demand Scan: You launched On-demand Scan remotely from the Threat Management screen
Post-assessment cleanup: The agent assessed the endpoint for threats and then performed cleanup
Forensic data collection: The agent collected forensic data from the endpoint because there are unresolved threats after post-assessment cleanup
Threat-related events not listed in this document but are appearing in the web console are events that Threat Discovery Appliance reports to Threat Mitigator.
Entities or tasks that generate threat event information, including:
Threat Discovery Appliance
Threat Management Services Portal
Security risk logs
Cleanup using custom pattern
On-demand Scan (user-initiated, with agent)
On-demand Scan (user-initiated, agentless)
On-demand Scan (administrator-initiated)
Agent post-installation scan
Threat events grouped by the following status groups:
All: Includes every mitigation status.
Mitigation in progress: The mitigation task is running.
No mitigation: The mitigation task was not performed because of a mitigation exception.
Unsuccessful: The mitigation task was not completed or encountered problems.
Resolved threats: All or selected threats have been resolved.
Assessed endpoint: The agent detected threats in the endpoint during assessment but did not run cleanup because you have chosen to run cleanup manually.
Rollback successful: A mitigation task was rolled back successfully.
Rollback unsuccessful: A mitigation task was not rolled back.
Scanned endpoint: On-demand Scan has been completed. Either no threat was found or the user chose to ignore all detected threats.