You can choose to have the App Control Server export a daily archive of events to a GZIP-compressed CSV file named in the format yyyy-mm-dd.csv.gz.
To enable this feature, go to the Events tab of the System Configuration page, click Edit, check the Archive Events Enabled box, and click Update. The location of these archive files is in a subfolder of the server installation directory, by default:
C:\Program Files (x86)\Bit9\Parity Server\archivelogs\
The following table describes the columns in these archive files.
- Event Archive CSV File Columns
| Archive CSV column | Note |
|---|---|
| TIMESTAMP | Time event occurred on agent (in UTC) |
| RECEIVEDTIMESTAMP | Time event was received on server (in UTC) |
| EVENTTYPE | Event type name |
| EVENTSUBTYPE | Event subtype name |
| COMPUTER | Event source (computer name or 'System') |
| COMPUTER_ID | Event source (Unique numeric ID, 0 for ‘system’) |
| PLATFORM | Platform of the computer associated with the event |
| IP_ADDRESS | IP address associated with the event |
| MESSAGE | Event description |
| POLICY | Name of the policy associated with the event |
| FILENAME | Full file path |
| PROCESSNAME | Name of the process associated with the event |
| HASH | File hash |
| HASH_TYPE | Type of the file hash (2 = SHA1, 3=MD5, 5=Sha256, 6=MSI) |
| INSTALLER_HASH | Installer hash |
| INSTALLER_HASH_TYPE | Type of the installer hash (2 = SHA1, 3=MD5, 5=Sha256, 6=MSI) |
| RULE_NAME | Name of the rule associated with the event (if any) |
| RULE_TYPE | Rule type of the rule associated with the event |
| BAN_NAME | For blocked file events, the name of the ban that blocked the file action; some bans are unnamed |
| UPDATER_NAME | Name of the Updater associated with the event (if any) |
| SEVERITY | Event severity |
| USERNAME | Name of user associated with the event |
| PROCESS_HASH | Hash of the process associated with the event |
| PROCESS_HASH_TYPE | Hash type of the process associated with the event |
| ROOT_NAME | Installer name associated with the event |
| GLOBAL_STATE | Global state of the file associated with the event (Approved/Unapproved/Banned) |
| INDICATOR_NAME | Name of the threat indicator associated with the event (if any) |
| FILE_TRUST | File trust from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| FILE_THREAT | File threat from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
| PROCESS_TRUST | Parent process trust from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| PROCESS_THREAT | Parent process threat from Carbon Black File Reputation of the file associated with the event. Pending implies that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
| USAGE_COUNTER | Prevalence of file related to this event |
| PROCESS_USAGE_COUNTER | Prevalence of parent process related to this event |
| PROCESS_KEY | Unique proprietary key identifying the instance of the process on a specific computer |
| COMMAND_LINE | Command line in the event description. Command lines may include proprietary information (e.g., passwords), and so their inclusion in events is optional. |
| UNIFIED_SOURCE | In a Unified Management environment, the server that initiated an action. |
