This article explains how to monitor and respond to threats identified by Cato's Endpoint Protection (EPP) engines.
To increase your awareness of potential threats for your endpoints and endusers, you can view and analyze details of potential threats to determine how to respond. If potentially malicious activity is identified by an EPP engine, an Event is created containing the relevant information. The EPP events provides key information about the identified threat for example, the endpoint the threat occurred on, the time and date of the threat, and the name of the file that triggered the event. For more information about analyzing events, see Analyzing Events in Your Network
You can also view and overview of threats detected by EPP in your network from the Endpoint Protection Dashboard.
Files that are identified a malicious can be encrypted and quarantined, depending on your protection settings. You can view quarantined files and if considered safe, restore them to their original location.
You can view all the events triggered by endpoint protection within a defined timeframe. The Engine Type field provides information about which engine triggered the event.
Note
Note: An event can take 6 minutes to be created after a file is blocked.
To identify threats on your endpoints:
-
From the navigation menu, click Monitoring > Events.
-
In the events filter bar, click the Add icon.
The Add Filter window opens.
-
From the Field drop down, select Sub-Type.
-
From the Operator drop down, select Is.
-
From the Value drop down, select EPP Malware
-
Click Update Filter.
The threats identified by EPP are displayed.
The following table lists the event fields in a EEP Malware event.
Field Name |
Description |
---|---|
Action |
Action that is relevant to the event type. |
Mitigation Actions Taken |
Action taken by EPP. Mitigation actions are:
|
Client Version |
Version number of EPP. |
Device Name |
Computer name of the endpoint. |
Endpoint ID |
Unique ID of the EEP agent. |
Engine Type |
Engine that detected the threat. |
Endpoint Protection Profile |
EEP profile on the endpoint. |
Event Count |
Count for events that are repeated multiple times during one minute. |
Sub-Type |
Sub-Type category of the event. |
Event Type |
Category of the event. |
File Hash |
File hash of the suspicious file. |
File Name |
File path and name of suspicious file. |
File Operation |
Action the enduser took to trigger the event. |
ISP Name |
ISP the endpoint is connected to. |
Logged In User |
Enduser logged in at the time of the event. |
Object Name |
File path and name of suspicious file. |
OS Type |
Endpoint operating system. |
OS Version |
Endpoint operating system version. |
User SID |
SID of the endpoint. |
If your Protection setting is set to Block and Remediate, EPP encrypts and quarantines malicious files. This prevents the enduser from accessing the file and prevents harmful processes from running on the endpoint. Quarantining potential threats ensures your endpoints remain secure and reduces the risk of infection across your environment.
You can monitor quarantined files and restore them to their original location if they are safe.
You can monitor the files that have been quarantined on each endpoint.
To review quarantined files:
-
From the navigation menu, click Monitoring > Protected Endpoints.
The Protected Endpoints table is displayed.
-
In the Quarantine Files column, click the number of the endpoint that want to view the quarantined files of.
The quarantined files on the endpoint are displayed.
Note
If the Quarantine Files column is blank, no quarantined files have been found on the endpoint
If a file has been mistakenly quarantined error or if you consider the file to be safe, you can restore it to the original location on the endpoint. The enduser can then access the file. After a file is restored from quarantine, it is added to the Allow List.
To restore quarantined files:
-
From the navigation menu, click Monitoring > Protected Endpoints.
The Protected Endpoints table is displayed.
-
In the Quarantine Files column, click the number of the row of the endpoint you want to restore a quarantined file from.
The Quarantine table is displayed.
-
On the file you want to restore, click on the three dots at the end of the table.
-
Click Restore.
The file is restored to its original location.
0 comments
Please sign in to leave a comment.