Policy Change Event Variables
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Policy Change Event Variables
Policy change events include changes to rules, protection
levels, content updates, and verdicts. The ESM Console lists these
events under the following Logging Events categories:
- Policies - General
- Policies - Rules
- Policies - Hash Control
The following table displays the most commonly specified variables
in policy change events.
Name | Meaning |
|---|---|
shost | Machine name of the ESM Console server |
suser | User who is logged in to the ESM Console |
fileHash | Hash value of an executable file |
msg | Free text description |
For example, consider the output of a Hash Added event
in CEF format:
Sep 28 2016 17:34:56 172.16.183.173 CEF:0|Palo Alto Networks|Traps ESM|3.4.1.16709|New Hash Added|Policy|6|rt=Sep 28 2016 17:34:56 shost=ESM suser= fileHash=c97f276b4c70682c8f8d39b91e30f938bc6e86a42cd6b71e3ad08092dba528e9 cs5Label=NewVerdict cs5=Benign msg=New hash added
Notice that this event uses several common variables, namely: shost, suser, fileHash,
and msg.