ITDR
About Event Logs
Zscaler ITDR triggers an alert with the attacker's activity logged in event logs. The Event Logs page lists all the event logs.
Event Logs provide the following benefits and enable you to:
- Capture information about attacks attempted by bad actors who infiltrate your network.
- Investigate attacks using the log information, analyze the attacker's target and motives, and then devise enhanced threat response and containment strategies.
- Download the event logs in various formats for further analysis to contain future threats.
About the Event Logs Page
On the Event Logs page (accessed from the extended details page), you can do the following:
- View the event logs. For each event, you can see:
- Timestamp: The time and date when the attack happened.
- Type: The attack type (e.g., itdr).
- Sub Type: The subtype of the attack.
- Decoy Group: The classification of the device (e.g., endpoint).
- Attacker ID: The attacker's IP address.
- Decoy Name: The actual endpoint name.
- Decoy Port: The port used on the endpoint.
- Decoy Appliance Name: The name for the ITDR Admin Portal.
- Kill Chain Phase: The kill chain attack phase (e.g., lateral movement, exploitation, etc.).
Select an event to view the Event Details pane that provides the in-depth details of the event.
- Add or remove fields from the Event Logs page.
Choose an option from the Actions drop-down menu:
- Export the event logs.
