|
|
|
You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operation from SmartEndpoint or from the CLI. The analysis occurs without the need to install policy.
To use Forensics Push Operations from SmartEndpoint:
Optional - Enter data to search for an incident that occurred.
Optional - Enter data to search for an incident that occurred.
The Forensics analysis runs on the users' computer.
To use Forensics Push Operations from the Endpoint Security Management Server CLI:
For complete information about a dedicated tool and integration with third party Anti-Malware solutions, see sk105122.
Run the $UEPMDIR/system/utils/EfrPushOperation.sh script on a computer, OU, or group.
Usage:
EfrPushOperation -name node_name|-fqdn node_FQDN|-dn node_DN -url URL|-file file [-i start_time [-r range]] [-a activity_event] [-c case_analysis_event] -u <username> -p <password>
Parameters:
Parameter |
Description |
|---|---|
-name <node_name> |
The requested node name as appears in SmartEndpoint |
-fqdn <node_FQDN> |
The requested node FQDN name, for example, device1@mycompany.com |
-dn <node_DN> |
The requested node distinguished name , for example, CN=device1,OU=Computers,DC=mycompany,DC=com |
-url <URL> |
Analyze by URL |
-file <file> |
Analyze by file or process |
-i <start_time> |
Incident start time (date and time) |
-r <range> |
Time range (before and after start time) in minutes |
-a <activity_event> |
'f' if detailed activity logs should not be generated, default is 't' |
-c <case_analysis_event> |
'f' if case analysis report should not be generated, default is 't' |
-u <username> |
Security Management Server username (case-sensitive) |
-p <password> |
Security Management Server password (case-sensitive) |
