Hello gkc, [I'm not Sophos, I don't use Central (and thus don't feed events to a SIEM) - so this is not an official statement] The last three should be rather obvious: CleanUpable - according to the detection data cleanup should be possible IsRebootRequired - a reboot is not required for a cleanup Outstanding - the threat has neither been cleaned or otherwise dealt with nor was the alert acknowledged I hope I don't disclose any secret information with the following: ScannerType 200 Unknown 201 On access 203 On demand 205 Scheduled 206 In memory 207 Web browser ActionTaken 100 Unknown 101 None 102 Renamed 103 Deleted 105 Moved 106 Copied 109 Cleaned up 112 Authorized 113 Cleaned up 114 Partially removed 115 Acknowledged 116 Blocked 117 No longer present 118 Cleared from the endpoint QM 119 Unblocked 120 Acknowledged - unblocked I've left out some rather obscure actions (and yes, there are two Cleaned up ). I assume that ScannerType=200 for the remediation (e.g. Cleaned up) events after a detection. Also ActionTaken=114 is likely accompanied by IsRebootRequired=True . Christian
↧