would like to understand when manual cleanup is needed via API events/alerts alone
this field in API events/alerts I am not clear on:
Event::Endpoint::CorePuaClean 'result'
API RESULT UNDERSTOOD:
{"items":[{"descriptor":"C:\\Users\\SOMEUSERNAME\\Downloads\\viewpdftools.msi","processPath":"","result":"SUCCESS","sophosPid":"","suspendResult":"NOT_APPLICABLE","type":"file"}],"totalItems":1}
API RESULT UNCLEAR: (shall I assume manual cleanup is needed when I see this, no separate manual cleanup alert or event is triggered)?
{"items":[{"descriptor":"C:\\Users\\SOMEOTHERUSERNAME\\Downloads\\pdfguruhub.msi","processPath":"","result":"NOT_FOUND","sophosPid":"","suspendResult":"NOT_APPLICABLE","type":"file"}],"totalItems":1}
Hello Robert_Smith
In general, if the Endpoint is unable to clean the threat or malware, then it raises an alert for manual cleanup. To verify the API result, I suggest checking on the central and co-relating the event coming from the API and the event appearing on central.
Best Regards,
Hello Robert_Smith
The Sophos Central API will contain all the information, and this article will help you to understand what event results relate to.
Sophos Central Admin: Event types and descriptions for Sophos Central API
Best Regards,
Quote