event collection
Note
Event Bypass Management and Exception Settings can be set in Policy > Event Bypass Management.
Collect Endpoints Events
When the agent installation on the device is completed, the event generated by Endpoints is sent to the Insights E server. According to Genian Insights E server Settings, it collects events that it considers important (process execution, execution/documentation/compressed file creation), and more necessary information can be changed in Server Settings.
Events collected by Endpoints can be viewed in Discovery. The default index is shown below.
- Endpoint2: Events (file, process, module, network, registry) that occur in Endpoints
- Alert2: Information on threats detected as threats by Threat Detector engine and alarms and threat information detected by XBA engine are displayed on an event-based basis.
- Threat2: Status-based display of information detected as Threats by Threat Detector engine and generated alarms and Threats detected by XBA engine
- Inflow: file inflow information
- Volume: External storage device mount information
- FileMaster: PE, Script file information
- system-info: PC resource information collected by Agent
Window Events (ETW)
Note
In Policy > Group Policy Management > Collection, you can set the collection target window event.
Genian Insights E provides a function that allows users to collect and search for window events when they register desired window events.
Relevant events are stored in the winevt index and can be searched in Discovery.
- WindowEvent: Windows Event information generated by Endpoints
Event Search
The Analysis > Investigation > Event Search page allows you to view and analyze events that occurred across all Endpoints, not specific Endpoints.
Event Search
- In the Event Search screen, you can search all fields related to a file at once with a single keyword. Fields that can be searched without entering a field name are marked with a blue star when clicking the search bar.
- When searching for data in the search bar of other menus, you must search in the same format as 'Field Name: Data', but you can search for keywords in the Event Search screen.
- If the kiwid to be searched contains spaces, surround the keyword with double quotation marks and search.
- The fields
AuthName,AuthDeptName, andHostNamemust be entered in full text when searching for keywords. For example, if the AuthName is Hong Gil-dong, it will not be searched if only the word Hong-gil is entered in the search.
Event Investigation
The Event Investigation list allows you to check the event history of all Endpoints.
- The history of the set date (ex.Today,1d,3d, etc.) is displayed in a chart, and you can check detailed information by clicking and dragging the mouse within the chart to narrow the event date period.
When you click the event list, the event detail information screen appears.
- When you click the exception handling icon on the event detail screen, you can register not to collect the event.
- When you click the docking pop-up on the right screen, a separate pop-up window will appear. In the event details screen, the clicked item was initially executed by a certain process, and if connection information exists, even destination IP information can be identified.
- When the floating icon is clicked, Process, File, Module, Network, and Registry information related to the clicked item is displayed based on the first occurrence time. (Data not collected according to Collection Target Event Settings of Policy > Group Policy > Policy with Endpoints is not displayed.)
- For the event selected in the event details, view only events that are directly related from the Endpoints information to the selected event being executed, or Settings can be set to display all related events based on event type.
Event Investigation Column Settings
In the Event Search screen, you can display only the information that users want to check through the column Settings.
- In Analysis > Investigation > Event Search, click the Settings icon in the upper right corner and select ‘Edit column’ to display the Column Settings screen.
- Move the column item you want to display to the right and click the ‘Save’ button to display the column set by the user.