Events - XWiki

20

Defender activity on the client is logged in the form of events. They are periodically scanned by the ACMP Agent and sent to the ACMP Server. If the events are alarms and possible threats, they are sent to the server in real time.

8

9

The interval at which the scanner runs can be configured in [[Agent Tasks>>doc:ACMP.64.ACMP-Solutions.Client-Management.Agentenplaner.WebHome]].

10

11

12

(% style="text-align:center" %)

13

[[image:17_64_Defender Management_Ereignisse_1466.png||alt="Events.PNG"]]

Tab Events

Events are divided into different event types:

21

22

|=Event typ|=Description

23

|Alarms|Contains all detected and possible threats found on the client, such as the detection of a virus.

24

|Warnings|Contains possible security-related information which, if ignored, could lead to a security breach, e.g. by disabling a scan.

25

|Hints|Contains non-security-related information, such as the start of a scan.

26

|Errors|Contains incorrect or failed operations that have taken place on the client.

27

|Information|Contains any ongoing information, such as update status.

28

29

30

The scanning of the //Information// event type is disabled by default. If you want to enable it, you can make the changes in the Defender Management First Steps wizard or in the navigation under //System// > //Settings// > //Defender// //Management// by selecting the //Information// checkbox. Note, however, that the large number of events can increase the load on the database.

31

32

33

= Displaying events =

34

35

To view all logged events, go to the //Defender Management// plugin in the navigation and click the //Events// tab. You will see a list of all events, starting with the current event. Each event has 2 statuses: **read** and **unread**.

36

37

You can tell the status by the open or closed letter icon on the event entry. You have read the entry if you have clicked on Mark as read in the ribbon bar. You can add a comment to the item.

38

39

Each event contains the following properties in the list:

40

41

|Event entry|Categories all events into 5 types

42

|Event ID|ID assigned by Microsoft

43

|Event name|More detailed categorisation oft he event to see what triggered it

44

|Computer name|The name of the Client on which the event occurred.

45

|Time of creation|Date and time when the event occurred on the Client

46

|Comment creator|ACMP identification user who created the comment

47

|Comment date|Date the comment was made

48

|Event message|Message decribing the event

49

|Event level|Rough categorisation of the event, assigned by Microsoft

50

|Details|Exact information about the event

51

52

You can also view these properties in the Client Details or use them as fields in queries and reports.

53

54

If you only want to see a particular type of event in the list, you can set and filter the required type using the filter icon above the list.

55

56

= Viewing the Events of a specific client =

57

58

To view the events of a specific Client, you can either filter for specific Clients in the Defender plug-in on the //Events// tab using the filter option in the column, or view them in the Client details of the required Client. To do this, double-click on a particular Event entry in the list that has occurred on the required Client. This will take you to the Client details.

= Scanning events =

The Defender Scanner is disabled by default and can be manually enabled. This can be done either after completing the First Steps wizard or manually from the //Agent Tasks// > //Defender Scanner// navigation. Double-click to bring up a wizard where you can set the time and interval.

63

64

= Real-time notification of defected threats =

65

66

Real-time transmission of detected threat events is available for immediate response in urgent cases. This is only available for //alerts//. If a threat is detected on the client, the ACMP Agent transmits it in real time to the ACMP Server and it can be viewed in the Events.

67

68

= Deleting obsolete events =

69

70

To avoid unnecessary storage usage, you can regularly run cleanup jobs for both events and quarantine files.

71

72

The jobs can be found in the navigation under //System// > //Settings// > //ACMP// //Server// > //Scheduled// //Server// //Tasks// > //Defender// //Events// //cleanup//. By default, all events are deleted after 30 days. The cleanup itself takes place every 5 hours, although this interval can also be customised.

Wiki source code of Ereignisse

Navigation

author	version	line-number	content
		1	{{aagon.priorisierung}}
		2	20
		3	{{/aagon.priorisierung}}
		4
		5	{{aagon.floatingbox/}}
		6
		7	Defender activity on the client is logged in the form of events. They are periodically scanned by the ACMP Agent and sent to the ACMP Server. If the events are alarms and possible threats, they are sent to the server in real time.
		8
		9	The interval at which the scanner runs can be configured in [[Agent Tasks>>doc:ACMP.64.ACMP-Solutions.Client-Management.Agentenplaner.WebHome]].
		10
		11	{{figure}}
		12	(% style="text-align:center" %)
		13	[[image:17_64_Defender Management_Ereignisse_1466.png\|\|alt="Events.PNG"]]
		14
		15	{{figureCaption}}
		16	Tab Events
		17	{{/figureCaption}}
		18	{{/figure}}
		19
		20	Events are divided into different event types:
		21
		22	\|=Event typ\|=Description
		23	\|Alarms\|Contains all detected and possible threats found on the client, such as the detection of a virus.
		24	\|Warnings\|Contains possible security-related information which, if ignored, could lead to a security breach, e.g. by disabling a scan.
		25	\|Hints\|Contains non-security-related information, such as the start of a scan.
		26	\|Errors\|Contains incorrect or failed operations that have taken place on the client.
		27	\|Information\|Contains any ongoing information, such as update status.
		28
		29	{{aagon.warnungsbox}}
		30	The scanning of the //Information// event type is disabled by default. If you want to enable it, you can make the changes in the Defender Management First Steps wizard or in the navigation under //System// > //Settings// > //Defender// //Management// by selecting the //Information// checkbox. Note, however, that the large number of events can increase the load on the database.
		31	{{/aagon.warnungsbox}}
		32
		33	= Displaying events =
		34
		35	To view all logged events, go to the //Defender Management// plugin in the navigation and click the //Events// tab. You will see a list of all events, starting with the current event. Each event has 2 statuses: read and unread.
		36
		37	You can tell the status by the open or closed letter icon on the event entry. You have read the entry if you have clicked on Mark as read in the ribbon bar. You can add a comment to the item.
		38
		39	Each event contains the following properties in the list:
		40
		41	\|Event entry\|Categories all events into 5 types
		42	\|Event ID\|ID assigned by Microsoft
		43	\|Event name\|More detailed categorisation oft he event to see what triggered it
		44	\|Computer name\|The name of the Client on which the event occurred.
		45	\|Time of creation\|Date and time when the event occurred on the Client
		46	\|Comment creator\|ACMP identification user who created the comment
		47	\|Comment date\|Date the comment was made
		48	\|Event message\|Message decribing the event
		49	\|Event level\|Rough categorisation of the event, assigned by Microsoft
		50	\|Details\|Exact information about the event
		51
		52	You can also view these properties in the Client Details or use them as fields in queries and reports.
		53
		54	If you only want to see a particular type of event in the list, you can set and filter the required type using the filter icon above the list.
		55
		56	= Viewing the Events of a specific client =
		57
		58	To view the events of a specific Client, you can either filter for specific Clients in the Defender plug-in on the //Events// tab using the filter option in the column, or view them in the Client details of the required Client. To do this, double-click on a particular Event entry in the list that has occurred on the required Client. This will take you to the Client details.
		59
		60	= Scanning events =
		61
		62	The Defender Scanner is disabled by default and can be manually enabled. This can be done either after completing the First Steps wizard or manually from the //Agent Tasks// > //Defender Scanner// navigation. Double-click to bring up a wizard where you can set the time and interval.
		63
		64	= Real-time notification of defected threats =
		65
		66	Real-time transmission of detected threat events is available for immediate response in urgent cases. This is only available for //alerts//. If a threat is detected on the client, the ACMP Agent transmits it in real time to the ACMP Server and it can be viewed in the Events.
		67
		68	= Deleting obsolete events =
		69
		70	To avoid unnecessary storage usage, you can regularly run cleanup jobs for both events and quarantine files.
		71
		72	The jobs can be found in the navigation under //System// > //Settings// > //ACMP// //Server// > //Scheduled// //Server// //Tasks// > //Defender// //Events// //cleanup//. By default, all events are deleted after 30 days. The cleanup itself takes place every 5 hours, although this interval can also be customised.