Retrieve Data About a Security Event
When a security event occurs on an endpoint, Traps collects forensic data including the contents of memory and stores it on the endpoint. Use the forensic data to debug an issue or investigate a specific problem with an application. Selecting this option creates an agent settings rule to retrieve the information collected by Traps. After Traps receives the agent settings rule, the agent sends all the logs to the designated forensic folder.
To create a general rule to retrieve data from one or more endpoints, see Manage Data Collected by Traps .
- From the ESM Console, select Security EventsThreats to view security events related to protected processes, or MonitorProvisional Mode to view security events related to provisional processes.
- Select the security event for which you want to retrieve data. The event expands to display further details and actions about the security event.
- Click Retrieve Data. The ESM Console populates the settings for an agent settings rule.
- Review the rule details, and then click Apply to activate the rule immediately or Save to activate the rule at a later date. At the next heartbeat communication with the ESM Server, the Traps agent receives the new rule and sends the prevention data to the forensics folder.
- To view the status of the forensic upload select MonitorData Retrieval.
- After the upload is complete, click Download to save the prevention data locally or navigate to the forensic folder. If you are no longer require the prevention data, you can, optionally, Delete it from the Data Retrieval table.