Retrieve Data About a Security Event

When a security event occurs on an endpoint, Traps collects forensic data including the contents of memory and stores it on the endpoint. Use the forensic data to debug an issue or investigate a specific problem with an application. Selecting this option creates an agent settings rule to retrieve the information collected by Traps. After Traps receives the agent settings rule, the agent sends all the logs to the designated forensic folder.
To create a general rule to retrieve data from one or more endpoints, see Manage Data Collected by Traps.
  1. From the ESM Console, select
    Security Events
    Threats
    to view security events related to protected processes, or
    Monitor
    Provisional Mode
    to view security events related to provisional processes.
  2. Select the security event for which you want to retrieve data. The event expands to display further details and actions about the security event.
  3. Click
    Retrieve Data
    . The ESM Console populates the settings for an agent settings rule.
  4. Review the rule details, and then click
    Apply
    to activate the rule immediately or
    Save
    to activate the rule at a later date. At the next heartbeat communication with the ESM Server, the Traps agent receives the new rule and sends the prevention data to the forensics folder.
  5. To view the status of the forensic upload select
    Monitor
    Data Retrieval
    .
  6. After the upload is complete, click
    Download
    to save the prevention data locally or navigate to the forensic folder. If you are no longer require the prevention data, you can, optionally,
    Delete
    it from the Data Retrieval table.

Recommended For You