https://community.sophos.com/intercept-x-endpoint/f/discussions/147986/how-to-interpret-event-endpoint-corepuaclean---manual-cleanup-needed-or-notwould like to understand when manual cleanup is needed via API events/alerts alone this field in API events/alerts I am not clear on: Event::Endpoint::CorePuaClean &#39;result&#39; API RESULT UNDERSTOOD: {&quot;items&quot;:[{&quot;descriptor&quot;:&quot;C:\\Users\\SOMEUSERNAMEen-USTelligent Community 12https://community.sophos.com/thread/548711?ContentTypeID=1Fri, 15 Nov 2024 14:53:26 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:dc67d610-b0f6-477d-bcef-8e008fe2b57fRobert_Smith<p>documentation does not appear to explain the result piece (&quot;result: SUCCESS&quot; and&nbsp;&quot;result: NOT_FOUND&quot; seem mutually exclusive)</p> <table border="1"> <tbody> <tr> <td colspan="1" rowspan="1"><code>Event::Endpoint::CorePuaClean</code></td> <td colspan="1" rowspan="1">PUA cleaned up: &#39;&#39;{2}&#39;&#39; &quot;at &#39;&#39;{1}&#39;&#39;</td> </tr> </tbody> </table><div style="clear:both;"></div>https://community.sophos.com/thread/548709?ContentTypeID=1Fri, 15 Nov 2024 14:42:22 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:d7f61a3a-022c-4025-a85e-f1217de60c6fHarshil_S<p>Hello&nbsp;<a href="/members/robert_5f00_smith">Robert_Smith</a>&nbsp;</p> <p></p> <p>The Sophos Central API will contain all the information, and this article will help you to understand what event results relate to.</p> <p><a href="https://support.sophos.com/support/s/article/KBA-000006285?language=en_US">Sophos Central Admin: Event types and descriptions for Sophos Central API</a></p><div style="clear:both;"></div>https://community.sophos.com/thread/548708?ContentTypeID=1Fri, 15 Nov 2024 14:31:41 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:16767ef9-8af0-40fb-8028-a7d30c699564Robert_Smith<p>sometimes all I have is API</p> <p><span>based on &quot;In general&quot; and &quot;suggest checking on the central&quot;, API alone does not sound like a reliable way to determine if threat was cleaned up successfully</span></p> <p><span>It sounds like I MUST assume worst case and tell my customer manual cleanup may be needed every time i do not see &quot;result: SUCCESS or result: DELETED&quot;</span></p><div style="clear:both;"></div>https://community.sophos.com/thread/548674?ContentTypeID=1Fri, 15 Nov 2024 07:29:55 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:79464403-9384-4945-982e-4afb216e7583Harshil_S<p>Hello <a href="/members/robert_5f00_smith">Robert_Smith</a>&nbsp;</p> <p>In general, if the Endpoint is unable to clean the threat or malware, then it raises an alert for manual cleanup. To verify the API result, I suggest checking on the central and co-relating the event coming from the API and the event appearing on central.</p><div style="clear:both;"></div>