Events

On the Events page, you can search for specific events, filter events that represent the most critical tasks, manual actions, and more.

You can see security events for these SaaS applications:

Events Table Columns

The Events table has these columns:

Events Table Column Name

Description

Date & Time

The time at which the event was generated.

State

  • Pending - The administrator is requested to perform an action to remediate the event.

    For example, the policy is in Monitor mode, and a detected phishing email is in a user's mailbox.

  • Remediated - The event has been remediated, manually or automatically based on the policy.

    Event may be remediated in many ways, such as quarantining the email, removing attachments, or delivering it to the Junk/Spam folder.

  • Detected - Security event took place, but the administrator cannot manually remediate it.

    For example, a malicious email was sent by an internal user to an external recipient.

  • Dismissed - The event was manually dismissed by an administrator.

Action Taken

The action that was taken to remediate the event.

Remediated By

The system or administrator that remediated the event.

  • Check Point - Harmony Email & Collaboration took the remediation action automatically based on the policy.

  • Microsoft - Microsoft took the remediation action automatically.

  • Admin - Administrator performed manual remediation on the event.

    For example, the administrator quarantined the email post-delivery.

  • Check Point analyst - A Check Point

    analyst checked the end-user requests and reports. This is relevant only for customers that purchased the Incident Response as a service add-on.

Severity

Severity of the security event.

  • Critical

  • High

  • Medium

  • Low

  • Very Low

SaaS

The SaaS application the event was triggered in.

Threat Type

  • DLP

  • Malware

  • Phishing

    • Under Phishing, in many cases, the exact phishing category will be available.

  • Anomaly

  • Suspected Phishing

  • Suspected Malware

  • Shadow IT

  • Spam

  • Alert - Based on the policy and configurations, event generated alerts sent to all users.

  • Malicious URL Click

  • Proceed to Malicious URL

Details

Information about the event.

User

The users involved in the event.

Examples:

  • For a phishing event, the column shows the sender and the recipients.

  • For a compromised account (anomaly) event, the column shows the compromised user.

Filtering the Events

To filter the list of events, do one of these:

  • Click on the relevant sections in the charts above the table.

  • Use the built-in filters for the different fields, including the free text search for strings across all fields.

To clear the filters, click Clear Filters.

Taking Actions on Events

Administrators can take actions on different event types. For example, if the event is about a phishing email that made it through to the user's mailbox, the administrator can quarantine the email.

To take action on a single event, click the icon for the event from the last column of the table and select the required action.

To take action on multiple events, select the relevant events, click Groups Actions and select the required action.

Dismissing Events

Sometimes, the administrators need to remove an event from the open events list.

To do that, do one of these:

  • To dismiss a single event, click the icon for the event from the last column of the table and select Dismiss.

  • To dismiss multiple events, select the relevant events, click Groups Actions and select Dismiss.

A dismissed event will not be counted in the charts or in any other statistics.

To view the dismissed events, under filters, select Dismissed from the State field.

Managing Views

Departments with responsibilities related to email security are comprised of different teams and different roles, each often interested in a different set of security events.

Administrators can create multiple views which are a combination of filters in the Events screen for filtering the relevant events. Each administrator can set a different view to be presented by default.

To add a new View:

  1. Go to Events.

  2. Using filters, set the criteria for filtering the relevant events.

  3. Click Save as from the top left side of the Events screen.

  4. In the Save View window that appears, enter the required View Name.

  5. Click Save.

Note - If an administrator adds (or deletes) a View, it gets added (or deleted) for all the administrators.

To select a saved View:

  1. Go to Events.

  2. Click Saved views from the top right side of the Events screen.

  3. In the Saved Views window that appears, select the required view.

  4. Click Close.

Notes:

  • To edit a View, select the View, change the required filters, and click Save from the top left side of the Events screen.

  • After saving, the View gets updated for all the administrators.

To set a default View:

  1. Click Saved views from the top right side of the Events screen.

  2. In the Saved Views window that appears, click the Star icon next to the relevant view.

  3. Click Close.

Note - The default view selected is relevant only to the administrator that set it. Each administrator can select different default View.