The Events page in OneView displays a record of threats, endpoints requiring remediation, and activities performed in the console. Use the drop-down lists to filter the entries shown. Event data is stored and displayed for up to 30 days prior across all endpoints. To navigate to the Events page, go to Investigate > Activity Log > Events.
Event types by severity
There are different types of events, each varying in severity. Use the Severity drop-down list to filter for specific events based on the different event types:
| Severity | Description | Event type |
|---|---|---|
| Severe | A threat was found on an endpoint. |
|
| Warning | A threat was cleaned, Suspicious Activity detected, a command failed, or an item failed to delete from the Quarantine. |
|
| Info | A scan finished on an endpoint, asset or agent information was posted to the console, or an item was deleted from the Quarantine. |
|
| Audit | An endpoint was registered in the console, an endpoint was deleted from the console, a report was generated, an exclusion was edited, a policy was edited, or a user was added or deleted. |
|
Next to an event, click the timestamp to show details. If an event is related to a policy-level exclusion, hover over the Policies item to show the policies affected. If the event is a Threat Found, click the View Report link to check out the report for the scan identifying the threat.
Event sources
Each event originates from a specific source, the point or entity where it came from. Knowing the source is key to understanding the event's cause and context. Use the Sources column in the Events Activity log to identify and filter by the source.
| Event Source | Description |
|---|---|
| EDR | Activities related to Endpoint Detection and Response, such as Suspicious Activity Closed. |
| ThreatDown Support | Actions taken by ThreatDown Support through remote assistance or a backend change done by engineering to support an upcoming feature. |
| Managed Machines | Activities occuring on machines or resulting from such actions, such as Endpoint Agent Installed, Patch Applied, or Endpoint Removed Due to Inactivity. |
| Scan Threat | Events happening from manual and scheduled scans. |
| Licensing System | Changes to the account's license, such as upgrading bundles, or enabling an add-on. |
| Unknown | Unable to determine the event source. |
| Web Console | Actions originating from the console, such as creating a policy, or exclusion. |