This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Large Files in Data Retrieval
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Endpoint (Traps) Discussions
- Re: Large Files in Data Retrieval
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-05-2017 04:22 PM
Wondering if anyone can you help. In ESM --> Monitor --> ESM --> Data Retrieval
Im seeing large files. Wondering if anyone knew why they are so large.. some are in the 634mb size..
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-05-2017 05:45 PM
Hi @Alex_Gomez,
At the time of a security event, Traps can report the files that were accessed, modules, that were loaded into memory, URIs that were accessed, and ancestor process of the process that triggered the security event. You can define policy rules that specify what is collected; these rules can incorporate conditions, so that different users, computers, or groups receive different settings.
Traps captures the following information at the time of a security event:
- Files accessed prior to the security event;
- Modules and drivers loaded;
- URI information from web plug-ins, media players, and mail clients;
- Ancestry processes from browsers and Java applet child processes;
- You can also collect additional information about the true nature of a security event.
To modify the report collection settings, clone the policy and override the desired details. Overriding the default memory dump size rule allows to reduce the disk space consumed by dumps in the event of a prevention. However, reducing this setting to any value below the default (full) could omit important forensic information.
I hope it helps;
Willian
2 REPLIES 2
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-05-2017 05:45 PM
Hi @Alex_Gomez,
At the time of a security event, Traps can report the files that were accessed, modules, that were loaded into memory, URIs that were accessed, and ancestor process of the process that triggered the security event. You can define policy rules that specify what is collected; these rules can incorporate conditions, so that different users, computers, or groups receive different settings.
Traps captures the following information at the time of a security event:
- Files accessed prior to the security event;
- Modules and drivers loaded;
- URI information from web plug-ins, media players, and mail clients;
- Ancestry processes from browsers and Java applet child processes;
- You can also collect additional information about the true nature of a security event.
To modify the report collection settings, clone the policy and override the desired details. Overriding the default memory dump size rule allows to reduce the disk space consumed by dumps in the event of a prevention. However, reducing this setting to any value below the default (full) could omit important forensic information.
I hope it helps;
Willian
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-05-2017 09:04 PM
Thanks @acc6d0b3610eec313831f7900fdbd235 for that response clears it up.
I noticed the default Policy does a Full Memory Dump, so i understand now how these files can be large.
Related Content
- Latest DDOS attack related issue on Palo alto in Threat & Vulnerability Discussions
- Pros & Cons to Blocking Java Files, and Which Ones to Block in Threat & Vulnerability Discussions
- Finding the offending file associated with threat event in Threat & Vulnerability Discussions
- Large Files in Data Retrieval in Endpoint (Traps) Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks