Search Events by Device
Click 'Security' > 'Endpoint Security' > 'Investigate' > 'Device Search'
-
The 'Device Search' lets you search for events and alerts generated on a specific device
-
Details shown on this interface include event trends, network connection events, malware detection events and so on.
Open the 'Device Search' interface
-
Click 'Security' > 'Endpoint Security'
-
Move your mouse over 'Investigate' and choose 'Device search'
-
Start typing the name of the device of interest and select the device from the suggestions
You can also use this interface to view the details and events on a specific device, from other interfaces directly. Example include:
-
'Alerts' > 'Device View' > Click on a device name
-
'Investigate' > 'Hash Search' > click on a device name from the 'Execution Summary' tile
-
Click the 'Manage this device' link below the search box to open the device details interface. See Manage Windows Devices for help on tasks you can execute from the device details interface.
The page shows the following tiles:
-
Shows the summary of alerts generated and events logged by various Xcitium security modules on the device
-
Alert Name - The label of the event. The alert name shortly describes how the file was handled by the component mentioned above or the event that generated an EDR alert. See the description of Alert Name in View Alerts and Security Events by Time for possible alert names.
-
Alert Time - Date and time at which the alert was generated / event occurred
-
Component - The module that reported the event. This can be 'Antivirus', 'Containment', 'Application Control', 'Autorun Control', 'Virtual Desktop' or 'EDR'.
-
Shows the list of executable files and applications that were executed with administrator rights on the device
-
Select the time-period to view the events involving files run with admin privileges. The period ranges from last 15 minutes to 30 days.
-
Username - The admin account username with which the file was executed
-
File name - The label of the file
-
Count - The number of times the file was executed
-
Shows the list of internal and external network connection events from different network interfaces of the device within the selected period
-
Select the time-period for which the data should be shown. The period ranges from last 15 minutes to 30 days. You can configure custom range also.
-
Local IP - The internal IP address assigned to the device for different network interfaces on the endpoint.
-
Destination IP - The IP address of the destination to which the connection was established from that local IP.
-
Destination Port - The port number of the destination to which the connection was established.
-
Count - The number of times the connection to the destination IP and port was established from the endpoint.
-
Click the number to view the details of the event. This opens the 'Investigate' > 'Event Search' interface with a query automatically created and shows the details of the connection details. See Search Events by Query for more details.
-
Shows a timeline of event counts recorded from the endpoint for the selected time-period.
-
Select the time-period for which the event trend should be shown. The period ranges from last 15 minutes to 30 day.
-
Place your mouse on a point in the graph to view the number of events recorded at that time point.
You can zoom-in and zoom-out the chart by dragging your mouse cursor inside the chart.
-
Shows IP addresses assigned to different network interfaces of the device when the device is connected to different networks. When any of these addresses is changed, the event is added to the list.
-
External IP - The current external IP through which the endpoint connects to other external networks.
-
Local IP 1, Local IP 2, 3 etc. - The IP addresses assigned to different network interfaces of the device during the event
-
Time - The date and time of recorded change.
-
Shows the list of login events of users to the device.
-
Username - The name of the user account for which login was detected.
-
Last Seen - Date and time the endpoint communicated to Xcitium with the user logged-in.