We have recently added Portal Shield to report events to our ePO, and the events get generated appropriately. The problem we are having is that when an incident is reported, there is not very much information in the actual event. I get the following:
Threat Source Process Name
Threat Target User Name (which is always NT Authority\System)
Threat Target File Path (provides executable but not full path)
These are all fine, except it doesn't provide the name of the actual authenticated user, source IP address, source hostname, or full path name. We are able to find this information in the SharePoint logs in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Logs folder. Just wondering if there was a way to get this information put into the alert that is generated to avoid having to check multiple log files. This information does not show up under Portal Shield on the SharePoint as well. Anyone else come across this issue?