Monitoring SES Evolution agent activity
SES Evolution offers an accurate view of SES Evolution agent and console activity through various types of logs classified by severity.
Among other data, logs contain the time of an event, the agent on which it occurred, the identity of the process that performed the operation, and if operations are blocked, information about the block.
Requirements
No short file names in MS-DOS 8.3 format must appear in SES Evolution logs. Windows short file name creation must be disabled on all SES Evolution agents.
- To do so, set the value of the NtfsDisable8dot3NameCreation registry key to 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem.
Various log types
SES Evolution agents generate several types of logs:
- Event logs are simple logs without an attached context. They provide information, for example, on blocked user actions that are prohibited by security policies, which then makes it possible to audit certain operations, etc. Events fall under several types:
- Alert logs indicate that an attack occurred. Such logs come with a context that makes it possible to analyze the events that led up to the malicious action.
- Context logs are captured continuously on agents and represent an overall audit of actions performed on a workstation. They are not kept and are sent only when an alert is detected. These logs provide information on activity on the workstation just before and after the attack.
|
Protection events |
Generated when operations are blocked or audited by a security rule. For example, the process illegimate_process.exe attempted to run the process abused_process.exe. |
| Self-protection events | Generated when suspicious events are detected on the Windows system that are not associated with a security rule. For example, the user attempted to delete a protected file. |
| Operational events | Generated when events relating to the global operation of SES Evolution are detected. For example, the agent applied a new policy. |
| External events | Generated when events relating to External event forwarding and OSSEC audit rules are detected. |
| Windows Defender events | Generated when Windows events relating to the Virus and threat protection feature are reported. These logs are displayed only when the security policy contains Stormshield - Windows Defender event forwarding rule sets. |
Agent logs can be read on the administration console and the agent’s interface. They can also be read on the syslog server if you have configured one.
Depending on whether you want to make changes or only view the Agent logs panel, you must have the Agent logs-Modify or Agent logs-Display privilege.
You can configure the log levels that will be sent to the configure, agent and syslog server. For further information, refer to the sections Sending logs generated by agents and Configuring log management.