RE: Does SEC database contains information on alert's detection type? i.e to distinguish between on-access and scheduled scan's alerts
You can look at the username of the reported event, to some extent - as scheduled scans will never have an actual user reported, it will always be NT AUTHORITY\SYSTEM as the user with a scheduled scan; since this is the use the Sophos EP engine runs as…
Does SEC database contains information on alert's detection type? i.e to distinguish between on-access and scheduled scan's alerts
I can find very little information on SEC to distinguish if an alert has been triggered by an on-access scan or by a scheduled scan.
I know that Sophos has this knowledge as I can find this information on the email alerts that are sent by SEC.i.e scan…