Monitor Administrative Actions
To monitor the progress of administrator-initiated activities that may take time to complete (especially when run in bulk), you can use the Actions Tracker in Traps management service.
The Actions Tracker tracks the following activities:
- Agent upgrades
- Agent uninstalls
- Agent scans
- Aborted agent scans
- Data retrieval (both security event data and tech support files)
- File retrieval (Windows endpoints only, up to 20 files reported as part of the security event)
- File quarantine
- Quarantined file restoration
- Endpoint isolation
- Isolated endpoint restoration
- Set proxy
- Disable proxy
Administrative actions that typically complete immediately—such as updating the status of a security event or deleting an endpoint—are not tracked in the Actions Tracker.
Should the action fail to complete, the Actions Tracker displays details to help you understand the reason for the failure.
For bulk operations initiated prior to the September 2018 Traps management service release (but within the 37-day tracking period), the Actions Tracker displays those actions independently as single actions.
- From Traps management service, select.MonitorActions TrackerFor each action, the Actions Tracker displays the following information:
- Type—Type of action.
- Created By—The user and service that initiated the action. Or for policy-initiated actions, the Actions Tracker indicates the action was created byAgent Policy.
- Target—Endpoint host name (if only one) or endpoint count for bulk operations.
- Status—Status of the action (pending, in progress, succeeded, or failed).
- Creation Time—Time the action was initiated.
- Additional Information—Summary of the progress or additional details.
- Filter the actions to reduce the number of results displayed in theActions Tracker.By default, theActions Trackerdisplays the status of actions initiated within the last 37 days (30 days + a 7-day grace period). After 37 days, Traps management service clears any information about the administrative action from theActions Tracker. To quickly locate specific actions, you can apply custom filters from the Filters menu at the top of theActions Trackerwindow. You can also pin ( ) any filters you want to persist the next time you return to theActions Trackerwindow.When you apply more than one filter, Traps management service displays only administrative actions that matchallthe specified criteria. You can filter the actions displayed in the window using the following attributes:
- Created By—Filters actions by the partial or full name of the specific user that initiated the action.
- Endpoint ID—Filters actions that occur on endpoints matching the full endpoint ID that you specify. This ID is assigned by Traps to identify the endpoint.
- Endpoint Name—Filters actions that occur on endpoints matching a full or partial endpoint hostname or alias.
- SHA256—Filter actions that match a full SHA256 hash value.
- Type—Filters existing actions by one or more selected action types (for example Agent Scans and Halted Agent Scans).
- To view additional details for an event, click the name of the eventType.The additional details view displays information about the operation including the progress and details about each endpoint on which the action was performed. Depending on the event type, the additional details view can also provide links to relevant information for the action. For example, for a data retrieval event, you can download the data (when available) and view additional information about the security event for which the data was retrieved.