Create a Forensics Rule
Create a forensics rule to define memory dump and forensics collection preferences.
- Configure a new forensics rule.Select PoliciesForensicsManagement and then click Add.
- Select the type of rule you want to configure.
- (Optional) Add Conditions to
the rule. By default, a new rule does not contain any conditions.To specify a condition, select the Conditions tab, select the condition in the Conditions list, and then Add it to the Selected Conditions list. Repeat to add more conditions, as needed. To add a condition to the Conditions list, see Define Activation Conditions for a Rule on Windows Endpoints or Define Activation Conditions for a Rule on Mac Endpoints.
- (Optional) Define the Target
Objects to which to apply the restriction rule.To define a smaller subset of target objects, select the Objects tab, and then enter one or more Users, Computers, Groups, Organizational Unit, or Existing Endpoints in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units or identifies existing endpoints from previous communication messages.
- (Optional) Review the rule name and description.
The ESM Console automatically generates the rule name and description
based on the rule details but permits you to change these fields,
if needed.To override the autogenerated name, select the Name tab, clear the Activate automatic description option, and then enter a rule name and description of your choice.
- Save the forensics rule.Do either of the following:
After saving or applying a rule, you can return to the Management page at any time to Delete or Deactivate the rule.
- Save the rule without activating it. This option is only available for inactive, cloned, or new rules. When you are ready to activate the rule, select the rule from the PoliciesForensicsManagement page and then click Activate.
- Apply the rule to activate it immediately.
Define Memory Dump Preferences
Define Memory Dump Preferences When a protected process crashes or terminates abnormally, Traps records information about the event including the contents of memory locations and ...
Define Forensics Collection Preferences
Define Forensics Collection Preferences To help you better understand and derive implications about the true nature of a security event when it occurs on an ...
Manage Forensics Rules and Settings
Manage Forensics Rules and Settings Forensics Rules Change the Default Forensic Folder Create a Forensics Rule Define Memory Dump Preferences Define Forensics Collection Preferences Retrieve ...
Forensics Rules Forensics management rules enable you collect forensics data captured by Traps from a central location. From the Policies Forensics Management page, you can ...
Manage Data Collected by Traps
Manage Data Collected by Traps To manage data collected by Traps, you can configure an action rule that runs only one time on the endpoint; ...
Common Rule Components and Actions
Common Rule Components and Actions Each type of rule has a specific set of required and optional fields that you can customize to meet the ...
Search Endpoints for a File, Folder, or Registry Key
Search Endpoints for a File, Folder, or Registry Key To perform a centralized search for a system file, folder, or registry key on a Windows ...
Uninstall or Upgrade Traps on the Endpoint
Uninstall or Upgrade Traps on the Endpoint Create a new agent actions rule to uninstall Traps from the target objects or upgrade Traps using software ...
Change the Uninstall Password
Change the Uninstall Password By default, you must enter the uninstall password specified during installation to uninstall Traps from an endpoint. Change the default password ...