Understanding the types of contexts

Incidents consist of two types of contexts:

  • The simple context shows only alerts and logs regarding the creation and killing of all processes that were run on the agent within the attack perimeter. The simple context is shown by default in the detailed incident report.
  • The detailed context shows all the logs that the agent produced in the attack perimeter, including those that do not usually appear in the administration console. For example, even logs that remained local on the agent or that were sent to a syslog server can be seen in the detailed context. They are generated by the Stormshield - Audits of attack contexts rule set of the default policy.
    Depending on the agent group configuration, the display of the full context may need to be manually enabled.