Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5082 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Could like to enquire on the different meaning of Sophos Av Action (custom)

Ray Alex

Hi,

would like to understand what each term means, i.e
a) cleanUpable
b) IsFragment
c) IsRebootRequired
d) Outstanding

Or is there any guide which i could follow to understand what each field means?



This thread was automatically locked due to age.
  • 0

    Hi Ray Alex,

    Can you please help me with the Sophos Product name and version? 

    Where exactly did you capture the above-attached screenshot? 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Yashraj S

    Thanks Yashraj, we are using endpoint security and control 10.8.

    We are building siem usecases, and the attached screenshot is from sophos database.

  • 0 in reply to Yashraj S

    Hi,

    Below is the logs collected by SEIM for the event detected by Sophos:

    "... ScannerType=201 ActionTaken=116 CleanUpable=True IsRebootRequired=False Outstanding=True ..."

    Would need help in knowing the meaning of these - ScannerType, ActionTaken, CleanUpable, IsRebootRequired, Outstanding.

    Thanks,

  • +1 in reply to gkc

    Hello gkc,

    [I'm not Sophos, I don't use Central (and thus don't feed events to a SIEM) - so this is not an official statement]
    The last three should be rather obvious:
    CleanUpable - according to the detection data cleanup should be possible
    IsRebootRequired - a reboot is not required for a cleanup
    Outstanding - the threat has neither been cleaned or otherwise dealt with nor was the alert acknowledged

    I hope I don't disclose any secret information with the following:

    ScannerType     
    200  Unknown    
    201  On access  
    203  On demand  
    205  Scheduled  
    206  In memory  
    207  Web browser

    ActionTaken
    100  Unknown
    101  None
    102  Renamed
    103  Deleted
    105  Moved
    106  Copied
    109  Cleaned up
    112  Authorized
    113  Cleaned up
    114  Partially removed
    115  Acknowledged
    116  Blocked
    117  No longer present
    118  Cleared from the endpoint QM
    119  Unblocked
    120  Acknowledged - unblocked

    I've left out some rather obscure actions (and yes, there are two Cleaned up). I assume that ScannerType=200 for the remediation (e.g. Cleaned up) events after a detection. Also ActionTaken=114 is likely accompanied by IsRebootRequired=True.

    Christian 

  • 0 in reply to QC

    Thank You, Christian. These made the whole picture clear. :) 

    Chahal

Unfiltered HTML