Events
About events
The Events page lets you see a list of various Perception Point X-Ray-related events that occurred in your organization. Examples of events are:
Advanced Email Security: A user logged into his email account or set a new mail inbox rule that appears to be suspicious. [This assists with detecting ATO attempts.]
Advanced Browser Security: A user logged in to a website.
Cloud Endpoint Integrations: A malicious file was detected on an endpoint.
You can click any event in the Events page to display additional details about the event. Each new event is assigned the Open status. You can analyze an event, and then resolve it, to remove it from the list of open events.
Note: The time for each event in the list of events is the time that the event occurred in the viewing admin user's location. Information in the Events page is maintained by Perception Point X-Ray for 180 days. |
You can see a list of events in your organization that seem to be suspicious. For details, see "Cases" on page 689.
To show the Events page:
In Perception Point X-Ray, in the left navigation menu, select Security Operations > Events.
Any admin user with the "Self Analysis" role [or higher] can access the Events page. |
Event severity
Perception Point assigns a severity to each event. The severity can be:
[
] Low: There is no suspicion associated with this event. For example, a user logged-in.
[
] Medium: Not currently used.
[
] High: For example, a malicious file was found, or a user set up a mailbox rule that appears to be suspicious.
You can use the event severity to filter the events shown in the Events page.
Event status
Perception Point assigns a status to each event in the Events page. The status can be:
[
] Open: The event has not yet been analyzed.
[
] Dismissed: The event has been analyzed and dismissed.
[
] Resolved: The event has been analyzed and resolved.
[
] Investigating: The event is currently being investigated.
You can use the event status to filter the events shown in the Events page.
Resolving an event
You can resolve an event, and mark its status as investigating, resolved or dismissed. After an event is resolved, the event will still appear in the list of events.
Note: You can't resolve an event that has the status dismissed. When you resolve an event, and assign it the status dismissed, the severity is automatically set to low. |
To resolve an event:
In the Events page, click the Resolve icon [
] on the right of the event, and then set the Status to investigating, resolved, or dismissed.
You can also add a comment explaining the reason for selecting the new status.
Available event types
The table below lists some of the event types that are included in the Events page.
Event type | For details, see... |
Browser events | |
WebsiteLogin | "Monitoring login events" on page 490 |
ATO events | |
New-InboxRule Set-InboxRule UserLoggedIn | "Configuring Microsoft 365 - ATO detection" on page 227 |
Reference
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article