The Monitor > Detection Center > Detection Log page in OneView displays information on all detections and potential threats found across all sites. The Detection Log table helps you manage the available information more efficiently. You can see the list of all detections in descending order up to 365 days prior.
To review additional detection details, navigate to Manage > Sites and launch the specific OneView site. Once the site is launched, on the left navigation menu go to Monitor > Detection Center > Detection Log. To expand the detection details, locate the Threat Name column and click on the listed detection name to view more details.
Actions taken
The Actions taken column on the Detection Log page shows what action occurred for each detected item. Refer to the table below for an explanation of each action:
| Action taken | Description |
| Blocked |
OneView blocked the action and stopped the threat. Categories of detections blocked:
|
| Found |
OneView reported the detection, though no action was taken. Categories of detections found:
The Remediation Required status displays for endpoints when a Malware, PUM, PUP, or Ransomware threat is detected by a Scan + Report, or a scheduled Scan where Quarantine threats automatically is unchecked. For more information, see Endpoints actions in OneView. To clear the status:
A Remote Intrusion detection found is displayed when the configured threshold of failed password attempts is exceeded within the timeframe. For more information, see Brute force protection policy settings in OneView. To prevent this:
|
| Deleted |
Quarantined item was deleted from the endpoint, as a result of a delete task from the console, selecting an item in the quarantine list/index. |
| Quarantined |
OneView detected an item, made an encrypted copy of the item to local quarantine on the endpoint, and deleted the original. The quarantine list in the console is an index to items on the endpoint. Categories of quarantined detections:
See Quarantined Detections page in OneView for further details about managing the Quarantine function |
| Restored |
Quarantined item was restored on the endpoint to its original location. |
Actions menu
In the top-right, click the kebab icon to take actions on the Detection Log page:
- Download .csv: Export a report in .csv format containing the selected rows of data.
-
Download .xlsx: Export a report in .xlsx format containing the selected rows of data.
- If the data size is too large to download, an email will be sent instead with a link to download the export.
- Create exclusion: Create exclusions on the selected detections. Only Global Administrators can create exclusions. For more information on exclusions, see Overview of exclusions in OneView
View and sort data
-
Filter results: Next to a column header, click the filter icon
to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Reset filters
to go back tot he default filter settings.
- Customize table columns: In the top-right of the table, click Add / Remove Columns to customize the table columns.
-
Column pinning and auto-sizing: Next to a column header, click the hamburger menu button
to display a checkbox list of different sub-filters you can apply. Click the hamburger menu button
to pin or auto size for the selected column.
- Right-click menu: In the table, click and drag to select and highlight a section of the table. Right-click on your selected information to copy or export a .csv or an .xlsx file.
- Select all: Click the checkbox next to the Threat name column header.
Expand detection details
Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:
- Category: The protection triggered by the detection. Filter by malware, PUP, PUM, exploit, ransomware, remote intrusion, website, or vulnerable driver detections.
- Type: The type of detection, such as a file or outbound connection. Filter by application, exploit, extension, file, folder, inbound connection, module, outbound connection, process, registry key, or registry value.
- Action taken: The current status of the detection, such as Found, Quarantined or Blocked.
- Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
- Last user: The last user logged into the endpoint.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
-
IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
- Port: If the detection is a Malicious Website, this field shows the port the connection used.
- Process Name: The file path of the process.
- Scanned At: The date and time the detection was scanned.
- Quarantined At: The date and time the detection was quarantined.
- Reported At: The time and date OneView reported the detection.
- Scan ID: The unique identifier of the scan for the detection.
- Detection Name: Click the name to open a glossary explanation of the detection.
- Domain: If the detection is a Malicious Website, this field shows the web URL.
- Group Name: Click the name of the group to view the endpoints that belong to the same group.
- Policy Name: Click the name of the policy to view the endpoints using the same policy.
- Detection history; Shows the history of the threat on the specific endpoint.
The available information in the window varies between types and how they are detected.