Security Event Monitoring Variables
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Security Event Monitoring Variables
Security events include all prevention, notification,
and provisional events that are reported by the Traps agents. The
ESM Console lists these events under the Security Events Logging
Events category. The following table displays the most commonly
specified variables used for monitoring security events.
Name | Meaning |
|---|---|
dhost | Machine name of the endpoint |
duser | User that was logged onto the endpoint. |
Model | Name of the exploit protection module (EPM) |
deviceProcessName | Process name |
File Hash | Hash value of an executable file |
dvc/dst | IP address of the endpoint |
msg | Free text description |
Content Version | Content version |
For example, consider the output of a Prevention Event in
CEF format:
Aug 25 2016 12:52:45 10.200.0.216 CEF:0|Palo Alto Networks|Traps Agent|3.4.1.15591|Prevention Event|Threat|9|rt=Aug 25 2016 12:52:45 dhost=tmpltwe7stan duser=TMPLTWE7STAN\User cs2Label=Module cs2=DEP deviceProcessName=firefox.exe fileHash=CD3CF48E727B5904A211F9366A67695702893316C7A039554496E99D98173D3C cs3Label=ContentVersion cs3=5-353 dvc=10.200.0.30 msg=New prevention event. Prevention Key: f24ba02f-bf08-4713-be00-f03bfc1f4034
Notice that this event uses several common variables, namely: dhost, duser, deviceProcessName, fileHash, dvc,
and msg.