After analyzing the files, Traps notifies the ESM about
the security event and can send additional forensic data to the
If your security policy contains a forensic data collection rule,
Traps collects one or more specified data types and uploads the
file(s) to the forensic folder. Depending on the preferences, Traps
can collect URI that were accessed, drivers, files, and relevant
DLLs that are loaded in memory under the attacked process, and ancestor processes
of the process that triggered the security event. For more information,
see Define Forensics Collection Preferences.
By default, Traps uses a web-based Background Intelligent Transfer
Service (BITS) folder that utilizes idle network bandwidth to upload
data. For more information, see Change the Default Forensic Folder.
You can also manually retrieve forensic data for a specific security
event by creating a one-time action rule to retrieve the data. For
more information, see Retrieve Data About a Security Event.
To view the status of the forensic upload select