Monitor Administrative Actions
To monitor the progress of administrator-initiated activities that may take time to complete (especially when run in bulk), you can use the Actions Tracker in Traps management service.
The Actions Tracker tracks the following activities:
- Agent upgrades
- Agent uninstalls
- Agent scans
- Aborted agent scans
- Data retrieval (both security event data and tech support files)
- File retrieval (Windows endpoints only, up to 20 files reported as part of the security event)
- File quarantine
- Quarantined file restoration
- Endpoint isolation
- Isolated endpoint restoration
Administrative actions that typically complete immediately—such as updating the status of a security event or deleting an endpoint—are not tracked in the Actions Tracker.
Should the action fail to complete, the Actions Tracker displays details to help you understand the reason for the failure.
For bulk operations initiated prior to the September 2018 Traps management service release (but within the 37-day tracking period), the Actions Tracker displays those actions independently as single actions.
- From Traps management service, select.MonitorActions TrackerFor each action, the Actions Tracker displays the following information:
- Type—Type of action.
- Created By—The user and service that initiated the action. Or for policy-initiated actions, the Actions Tracker indicates the action was created byAgent Policy.
- Target—Endpoint host name (if only one) or endpoint count for bulk operations.
- Status—Status of the action (pending, in progress, succeeded, or failed).
- Creation Time—Time the action was initiated.
- Additional Information—Summary of the progress or additional details.
- Filter the actions to reduce the number of results displayed in theActions Tracker.By default, theActions Trackerdisplays the status of actions initiated within the last 37 days (30 days + a 7-day grace period). After 37 days, Traps management service clears any information about the administrative action from theActions Tracker. To quickly locate specific actions, you can apply custom filters from the Filters menu at the top of theActions Trackerwindow. You can also pin ( ) any filters you want to persist the next time you return to theActions Trackerwindow.When you apply more than one filter, Traps management service displays only administrative actions that matchallthe specified criteria. You can filter the actions displayed in the window using the following attributes:
- Created By—Filters actions by the partial or full name of the specific user that initiated the action.
- Endpoint ID—Filters actions that occur on endpoints matching the full endpoint ID that you specify. This ID is assigned by Traps to identify the endpoint.
- Endpoint Name—Filters actions that occur on endpoints matching a full or partial endpoint hostname or alias.
- SHA256—Filter actions that match a full SHA256 hash value.
- Type—Filters existing actions by one or more selected action types (for example Agent Scans and Halted Agent Scans).
- To view additional details for an event, click the name of the eventType.The additional details view displays information about the operation including the progress and details about each endpoint on which the action was performed. Depending on the event type, the additional details view can also provide links to relevant information for the action. For example, for a data retrieval event, you can download the data (when available) and view additional information about the security event for which the data was retrieved.
Features Introduced in 2019
Introducing new features in the Traps management service by month during 2019. ...
Assess Security Events
Assess Security Events Traps management service ranks all events in order of severity so you can quickly see the most important events when you log ...
Retrieve Logs from an Endpoint
Retrieve Logs from an Endpoint From the details view of an endpoint, you can initiate a request to retrieve all logs from an endpoint. You ...
Scan an Endpoint for Malware
Scan an Endpoint for Malware In addition to blocking the execution of malware, Traps can scan your Windows endpoints and attached removable drives for dormant ...
Features Introduced in 2018
Introducing new features in the Traps management service by month during 2018. ...
Retrieve Files from an Endpoint
Retrieve Files from an Endpoint This capability is supported on Windows endpoints with Traps 6.1 and later releases. If during investigation you want to retrieve ...
After you assess a security event and determine a file or process is malicious, you can take additional response actions to remediate the endpoint. ...
Export Logs from the Traps Management Service
Export Logs from Traps Management Service To archive or save endpoint and server logs for future use, you can export logs from Traps management service ...