Based on adaptive learning technologies, the abnormal process feature applies preset rules and custom check rules to monitor abnormal process startups and then trigger alerts or block the exceptions in real time. It consists of the event list and rule configuration modules. This document describes the event list feature of advanced prevention.
Filtering and Refreshing Events
1. Log in to the TCSS console and click Advanced Prevention > Abnormal Processes > Event list on the left sidebar. 2. On the Event list page, click the search box and search for events by connection process.
3. On the Event list page, click on the right of the Operation column to refresh the event list. Exporting the Event List
1. Log in to the TCSS console and click Advanced Prevention > Abnormal Processes > Event list on the left sidebar. 2. On the Event list page, click to select the target abnormal process event and click to export it. Note:
Click in the Operation column to select multiple ones. Event Status Processing
Log in to the TCSS console and click Advanced Prevention > Abnormal Processes > Event list on the left sidebar. Method 1
On the Event list page, you can mark an abnormal process event as processed or ignore or delete it.
Mark as processed: Click to select the target abnormal process event and click Mark as processed > OK. Note:
It's recommended to handle the event by following "Solution" in the event details and mark it as processed.
Ignore: Click to select the target abnormal process event and click Ignore > OK. Note:
Only the selected events are ignored. Alerts will be triggered when the same events occur again.
Delete: Click to select the target abnormal process event and click Delete > OK. Note:
The selected event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
Method 2
1. On the Event list page, click Process now to add events in the Pending resolved status to the allowlist, mark them as processed, or ignore them.
3. On the Event list page, click Unignore or Delete to unignore or delete events in the Ignored status.
Note:
As an event will be in the Pending resolved status once unignored, you need to click OK for confirmation.
The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
4. On the Event list page, click Delete to delete events in the Processed status.
Note:
The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
Viewing Event Details
1. Log in to the TCSS console and click Advanced Prevention > Abnormal Processes > Event list on the left sidebar. 2. On the Event list page, click on the left of the Process path to view the event description.
3. On the Event list page, click View details.
4. The Event details page displays the event details, process information, parent process information, and event description. You can mark the event as processed, ignore it, or add it to the allowlist.
5. On the Event details page, click Add to allowlist to enter the Copy rule page, where you need to configure the basic information and rules and specify the scope.
Basic information: Enter the rule name of the event. Toggle on or off to enable or disable rule check. Note:
This rule will no longer be executed once disabled.
Configure rules: Enter the process path and select the action. Click Add or Delete to add or delete a rule.
Images: All images or Specified images. Click or to select or delete the target specified image. Note:
You can press Shift to select multiple ones.
6. After selecting the target content, click Set or Cancel. Custom List Management
1. Log in to the TCSS console and click Advanced Prevention > Abnormal Processes > Event list on the left sidebar. 2. On the Event list page, click to pop up the Custom List Management window. 3. In the pop-up window, select the target type and click OK.
Key fields in the list
1. First occurred: The time when an alert is first triggered by the abnormal process event. By default, the system aggregates the same alert events not processed.
2. Last occurred: The time when an alert is last triggered by the aggregated alert events. You can click the sort button on the right to sort the events in the list in chronological or reverse chronological order.
3. Events: Total number of alerts triggered by the abnormal process event within the aggregation period.
4. Execution result: Blocked successfully, Failed to block, Allowed, or Alert. You can quickly filter events in the list by action execution result.
5. Status: Processed, Ignored, Pending resolved, or Allowed. You can quickly filter events in the list by status.
Was this page helpful?