Monitor Administrative Actions

To monitor the progress of administrator-initiated activities that may take time to complete (especially when run in bulk), you can use the Actions Tracker in Traps management service.
tms-actions-tracker.png
The Actions Tracker tracks the following activities:
  • Agent upgrades
  • Agent uninstalls
  • Agent scans
  • Halted agent scans
  • Data retrieval (both security event data and tech support files)
  • File retrieval (Windows endpoints only, up to 20 files reported as part of the security event)
  • Quarantined file restoration
Administrative actions that typically complete immediately—such as updating the status of a security event or deleting an endpoint—are not tracked in the Actions Tracker.
In addition, the Actions Tracker only displays the status of actions initiated within the last 37 days (30 days + a 7-day grace period). After 37 days, Traps management service clears any information about the administrative action from the Actions Tracker.
Should the action fail to complete, the Actions Tracker displays details to help you understand the reason for the failure.
For bulk operations initiated prior to the September 2018 Traps management service release (but within the 37-day tracking period), the Actions Tracker displays those actions independently as single actions.
  1. From Traps management service, select
    Monitor
    Actions Tracker
    .
    For each action, the Actions Tracker displays the following information:
    • Type
      —Type of action.
    • Created By
      —The user and service that initiated the action. Or for policy-initiated actions, the Actions Tracker indicates the action was created by
      Agent Policy
      .
    • Target
      —Endpoint host name (if only one) or endpoint count for bulk operations.
    • Status
      —Status of the action (pending, in progress, succeeded, or failed).
    • Creation Time
      —Time the action was initiated.
    • Additional Information
      —Summary of the progress or additional details.
  2. To view additional details for an event, select name of the event
    Type
    .
    The additional details view displays information about the operation including the progress and details about each endpoint on which the action was performed. Depending on the event type, the additional details view can also provide links to relevant information for the action. For example, for a data retrieval event, you can download the data (when available) and view additional information about the security event for which the data was retrieved.
    tms-actions-tracker-details.png

Related Documentation