Events

This page includes:

About events

The Events page lets you see a list of various Perception Point X‑Ray-related events that occurred in your organization. Examples of events are:

Advanced Email Security

A user logged into his email account or set a new mail Inbox rule that appears to be suspicious. [This assists with detecting ATO attempts.]

Advanced Browser Security

A user logged in to a website

Cloud Endpoint Integrations

A malicious file was detected on an endpoint

You can click any event in the Events page to display additional details about the event. Each new event is assigned the Open status. You can analyze an event, and then resolve it, to remove it from the list of open events.

Note:

  • The time for each event in the list of events is the time that the event occurred in the viewing admin user's location.

  • Data retention: Data in the Events page is maintained by Perception Point X‑Ray for 180 days.

You can see a list of events in your organization that seem to be suspicious. For details, see Cases.

To show the Events page:

  • In Perception Point X‑Ray, in the left navigation menu, select Security Operations > Events.

Any admin user with the "Self Analysis" role [or higher] can access the Events page.

Event severity

Perception Point X‑Ray assigns a severity to each event. The severity can be:

  • [] Low: There is no suspicion associated with this event. For example, a user logged-in.

  • [] Medium: For example, a user signed-in to a website.

  • [] High: For example, a malicious file was found, or a user set up a mailbox rule that appears to be suspicious.

You can use the event severity to filter the events shown in the Events page.

Event status

Perception Point X‑Ray assigns a status to each event in the Events page. The status can be:

  • [] Open: The event has not yet been analyzed.

  • [] Dismissed: The event has been analyzed and dismissed.

  • [] Resolved: The event has been analyzed and resolved.

  • [] Investigating: The event is currently being investigated.

You can use the event status to filter the events shown in the Events page.

Resolving an event

You can resolve an event, and mark its status as investigating, resolved or dismissed. After an event is resolved, the event will still appear in the list of events.

Note:

  • You can't resolve an event that has the status dismissed.

  • When you resolve an event, and assign it the status dismissed, the severity is automatically set to low.

To resolve an event:

  1. In the Events page, click the Resolve icon [] on the right of the event, and then set the Status to investigating, resolved, or dismissed.

  2. You can also add a comment explaining the reason for selecting the new status.

Available event types

The table below lists the event types that may be included in the Events page.

Event type

Relevant channels

For details, see...

Browser events

  • WebsiteLogin

Browser Security

Monitoring website login events

ATO events

  • New-InboxRule

  • Remove-InboxRule

  • Set-InboxRule

  • Set-Mailbox

  • UserLoggedIn

  • UserLoginFailed

Email security:

  • Microsoft 365 - API integrations

  • Microsoft 365 - Inline integrations

Configuring Microsoft 365 - ATO detection

Detection events [EDR Tools]

  • Malicious File in Endpoint

  • CrowdStrike

  • Cynet

  • SentinelOne