Manualshelf

Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise
11121314151617181920
Threats
This chapter details how to identify and manage threats encountered in an enterprise environment following the installation of
Advanced Threat Prevention.
Identify a Threat
View Threat Events
Cylance Score and Threat Model Updates
View Detailed Threat Data
Manage a Threat
Export Threat Data to CSV
Manage the Global Quarantine list
Identify a Threat
Email and Dashboard Notifications
If you have set up email notifications for Threat Protection and Advanced Threat Events, an administrator is notified by email of
Advanced Threat Prevention events and threats.
The dashboard Notifications Summary in the Management Console displays Advanced Threat Prevention threats and events as
Threat Protection and Advanced Threat Events notification types.
Threat Protection type - A threat alert from Advanced Threat Prevention.
Advanced Threat Event type - An event detected by Advanced Threat Prevention. An event is not necessarily a threat.
The following table details threat lables, severity, and threat information.
Label
Severity Detail
ThreatFound Critical
Indicates a Portable Executable (PE) has been identified on a
device, but has not been blocked or otherwise quarantined on the
endpoint, indicating an active threat on the system.
ThreatBlocked Warning
Indicates a Portable Executable has been identified on the device,
though its execution has been blocked. This threat has not been
specifically quarantined, and is likely due to either the policy to
Automatically Quarantine has not been enabled, or that the file is in
a location that we are unable to write to with the local SYSTEM
account (network share, USB device that has been removed, etc).
ThreatTerminated Warning
Indicates a Portable Executable (PE) has been identified on the
device, and its process was killed, as it was found to be actively
running. This does not indicate that the file was also quarantined, as
the PE could have been executed from another location. It is
suggested to look for another event correlated with this endpoint
and executable to validate that the threat was properly contained.
MemoryViolationBlocked Warning
Indicates that an executable or script attempted to run, but was in
violation of the Memory Protection or Script Control policy. The
execution of the executable or script was subsequently blocked.
Typically this denotes the correlating Memory Protection or Script
Control policy outlined was set to Block.
4
14 Threats