Skip to main content

Events and Tasks in Nebula

Updated: 

In Nebula, an Event is a general term for a threat that has occurred, remediation or other action taken on a threat, and other endpoint-related activity. Similarly, queued or pending endpoint actions are referred to as Tasks. This article provides a brief overview of the Events and Tasks screens and how they are useful for endpoint management.

Events

This screen displays a record of threats, remediation and other activities on endpoints. Use the drop-down lists to filter the entries shown. Event data is stored and displayed for up to 30 days prior across all endpoints. Use this page to audit endpoint and threat activity.

There are several types of events, varying in severity. The Severity drop-down list has the following event types:

Severity Description Event type
Severe A threat was found on an endpoint.
  • Threat Found
Warning A threat was cleaned, Suspicious Activity detected, a command failed, or an item failed to delete from the Quarantine.
  • Command Failed
  • Command Timeout
  • Patch Applied (Failed)
  • Suspicious Activity Detected
  • Scheduled Threat Scan Failed
  • Threat Cleaned
Info A scan finished on an endpoint, asset or agent information was posted to the console, or an item was deleted from the Quarantine.
  • Deleted from Quarantine
  • Patch Applied (Success)
  • Scheduled Hyper Scan Success
  • Scheduled Software Updated
  • Scheduled Threat Scan Success
  • Software Updated
  • Suspicious Activity Closed
  • Threat Scan Success
  • Vulnerabilities Resolved
Audit An endpoint was registered in the console, an endpoint was deleted from the console, a report was generated, an exclusion was edited, a policy was edited, or a user was added or deleted.
  • An Endpoint was Moved to Another Group
  • Endpoint Agent Installed
  • Endpoint Agent Removed
  • Endpoint Agent Uninstalled
  • Endpoint Removed Due to Inactivity
  • Exclusion Created
  • Exclusion Disabled
  • Exclusion Updated
  • Global Exclusions Disabled
  • Global Exclusions Enabled
  • New Active Response Shell Session
  • On-Demand Report Deleted
  • Policy Created
  • Policy Updated
  • Scheduled Report Emailed
  • Scheduled Report Generated
  • Syslog Communication Endpoint Added
  • User Permission Changed
  • Uninstall Protection Configured
  • Uninstall Protection Password Revealed
  • User Created by SSO Just-In-Time (JIT) Provisioning

Next to an event, click the timestamp to show details. If an event is related to a policy level exclusion, hover over the Policies item to show the policies affected. If the event is a Threat Found, click the View Report link to check out the report for the scan that identified the threat. 

Tasks

This screen shows on-demand activities requested on endpoints in the last 90 days. These activities can be asset management scans, malware scans, quarantine restore, or quarantine delete. Use the page the check the status of commands run from the console.

The following list shows the possible statuses for a task:

  • Pending: The endpoint is waiting to receive the command. Tasks stay pending for up to 72 hours. Pending tasks can be canceled with the Cancel Pending Tasks button.
    • Use this if you need to cancel a reboot or scan before the task begins. 
    • The window to cancel a task is small if an endpoint has an active websocket connection, since task quickly switches from pending to processing.
  • Processing: The action is in progress. Processing tasks cannot be canceled. 
  • Success: The action is complete.
  • Expired: The endpoint did not receive the command after pending for 3 days.
  • Failed: The action has failed. The software may have encountered an issue. Try sending the task again.
  • Canceled: The action is aborted. 

Use the drop-down menus at the top of the screen to filter by the task status.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more