What is an aggregated event?

Aggregated events are bulk operations with several files transferred at once (such as many files copied to USB or an email sent with several attachments).

Since one aggregated event is displayed as one row in the Event overview table, the admin needs to check a much lower number of logs, gains a better context to operations, and improves their threat analysis. For example, when a user backs up 5000 files from a network share to USB, the admin does not have to shift through 100 pages of individual logs, they see the mass transfer as one aggregated event in one row of the Event overview table. This way, it is much easier to determine whether an event is risky or not.

Aggregated events in the Event overview table

To see all aggregated events, click the File column header. Aggregated events will be displayed at the top of the table.

Individual files that were part of the mass transfer are displayed in a sub-table in the event detail (click the little arrow on the left). Risky events are placed at the top. This way, the admin can easily investigate the contents of a particular bulk operation and quickly locate relevant files.

Aggregated event

The sub-table shows a maximum of 10 files. The remaining files are hidden and can be either filtered out or exported.

Differences from individual events

There are several differences in how info is shown for aggregated events in the Event overview table:

  • File - shows the total number of files processed within the aggregated event and also the number of files that match a selected filter
  • File size - shows the total size of the whole aggregated event (the sum of all file sizes)
  • Security assessment - is shown for risky aggregated events and highlights the matching detection rules

Want to learn more? Read next:

How to filter aggregated events

How to export records of aggregated events