This document describes the event list of the reverse shell feature.
Filtering and Refreshing Events
1. Log in to the TCSS console and click Runtime Security > Reverse Shell > Event list on the left sidebar.
2. On the Event list page, click the search box and search for reverse shell events by keyword such as process name or parent process name.
3. On the Event list page, click
on the right of the Operation column to refresh the list of reverse shell events.
Exporting the Event List
On the Event list page, click
to select the target reverse shell event and click
to export it.
Note:
You can click
to select multiple events and click
to batch export them.
Event Status Processing
On the Event list page, you can mark a reverse shell event as processed or ignore or delete it.
Mark as processed: Click
to select the target reverse shell event and click Mark as processed > OK.
Note:
It's recommended to handle the event by following "Solution" in the event details and mark it as processed.
Ignore: Click
to select the target reverse shell event and click Ignore > OK.
Note:
Only the selected events are ignored. Alerts will be triggered when the same events occur again.
Delete: Click
to select the target reverse shell event and click Delete > OK.
Note:
The selected event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
Viewing List Details
1. On the Event list page, click
on the left of the Event type to view the event description.
2. On the Event list page, click the Container name/ID or Image name/ID to enter the asset management list.
3. On the Event list page, click View details to pop up the drawer on the right, which displays the event details, process information, parent process information, and event description.
4. On the Event list page, the event status can be Processed, Ignored, or Pending resolved. You can manipulate events in different statuses as follows:
Processed/Allowed: Click Delete and click OK in the pop-up window.
Note:
The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
Pending resolved: Click Process now to mark the event as processed, ignore or delete it, or add it to the allowlist. For detailed directions, see Event Status Processing.
Ignored: Click Unignore or Delete to turn the event into the Pending resolved status or delete it.
Custom List Management
1. On the Event list page, click
to pop up the Custom List Management window.
2. In the pop-up window, select the target type and click OK.
Key fields in the list
1. First occurred: The time when an alert is first triggered by the reverse shell event.
Note:
By default, the system aggregates the same alert events not processed.
2. Last occurred: The time when an alert is last triggered by the aggregated alert events. You can click the sort button on the right to sort the events in the list in chronological or reverse chronological order.
3. Events: Total number of alerts triggered by the reverse shell event within the aggregation period.
4. Status: Processed, Ignored, Pending resolved, or Allowed. You can quickly filter events in the list by status.
