Retrieve Data About a Security Event
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Retrieve Data About a Security Event
When a security event occurs on an endpoint,
Traps collects forensic data including the contents of memory and
stores it on the endpoint. Use the forensic data to debug an issue
or investigate a specific problem with an application. Selecting
this option creates an agent settings rule to retrieve the information
collected by Traps. After Traps receives the agent settings rule,
the agent sends all the logs to the designated forensic folder.
To create a general
rule to retrieve data from one or more endpoints, see Manage Data Collected by Traps.
- From the ESM Console, select Security EventsThreats to view security events related to protected processes, or MonitorProvisional Mode to view security events related to provisional processes.
- Select the security event for which you want to retrieve data. The event expands to display further details and actions about the security event.
- Click Retrieve Data. The ESM Console populates the settings for an agent settings rule.
- Review the rule details, and then click Apply to activate the rule immediately or Save to activate the rule at a later date. At the next heartbeat communication with the ESM Server, the Traps agent receives the new rule and sends the prevention data to the forensics folder.
- To view the status of the forensic upload select MonitorData Retrieval.
- After the upload is complete, click Download to save the prevention data locally or navigate to the forensic folder. If you are no longer require the prevention data, you can, optionally, Delete it from the Data Retrieval table.