How the Cylance Multi-Tenant Console groups alerts

The

Cylance

Multi-Tenant Console

uses the following criteria to group alerts from all your tenants and

Cylance Endpoint Security

services, automating the process to allow you to scope and optimize your threat-hunting and resolution activities to logical groupings of related alerts. The grouping logic is built and maintained by

BlackBerry

, and is dynamically designed to handle alerts from a range of integrated services. The result is a zero-touch experience that automates frequency and prevalence analysis, making it easier for you to triage and prioritize your cybersecurity efforts.

A new alert is added to an existing alert group when all of the following conditions are met:

The priority, classification, sub-classification, description, key indicators, and response of the alert match that group.

The alert occurs within 24 hours of the most recent alert in that group.

The alert is detected within 7 days (168 hours) of the oldest alert in that group.

A new alert group is created when an alert is detected that does not satisfy all of these conditions.

Priority

The priority of an alert, which correlates to the urgency of the issue and the potential impact on your organization’s environment, is factored into how alerts are grouped. The Alerts view groups the highest priority alerts across the telemetry sources to help you view and resolve the most important alerts first.

The factors that determine the priority of an alert vary by service:

Service	Factors
CylancePROTECT Desktop	For threat alerts, the priority is always high in the Alerts view, even if the priority of the alert is lower in Protection > Threats in the management console. The purpose of this elevated priority in the Alerts view is to indicate the urgency of malware detections. For memory protection alerts, the priority is determined by the nature of the memory protection event, as configured by BlackBerry cybersecurity analysts. The priority of the events are based on the overall severity and relevance for investigation.
CylancePROTECT Mobile	Alerts use a priority value that corresponds to the severity that is displayed in the management console and in the CylancePROTECT Mobile app.
CylanceOPTICS	The priority is determined by the configuration of the CylanceOPTICS detection rules.
CylanceGATEWAY	Priority is based on the network protection settings that you configure or the reputation of a destination, as determined by CylanceGATEWAY , with a high risk level. For example, CylanceGATEWAY might generate alerts to display in the Alerts view in the following scenarios: Destination reputation detections: When enabled, the alerts are generated based on the risk level that you set. For example, if you set the risk level to "Medium and higher", alerts are generated for all the detections with the risk level of medium and high. When not enabled, alerts that are determined to have a high risk level are generated by default. Signature detections: When enabled, alerts are generated for blocked signature detections and are displayed with a high risk level. When not enabled, CylanceGATEWAY will not generate alerts. For DNS Tunneling and Zero Day detections, alerts are generated for detections with a high risk level.
CylanceAVERT	The priority is always high in the Alerts view.

Classification and sub-classification

The alert classification and sub-classification identifies and labels the underlying detection type to provide structured alert content that can better describe the alert detected by a given service. Each service will define a specific set of classifications and sub-classifications to clarify the nature of the alert.

Classification and sub-classification data are used to identify and group similar alerts.

The factors that determine the classification and sub-classification of an alert vary by service:

Service	Factors
CylancePROTECT Desktop	For threat alerts, the classification and sub-classification correspond to the file classifications for CylancePROTECT Desktop threat alerts. For memory protection alerts, the classification and sub-classification correspond to the memory protection violation types.
CylancePROTECT Mobile	The classification corresponds to an overall category of alerts (for example, Device Security or Network threats) and the sub-classification corresponds to the specific alert type that displays in the management console and in the app (for example, Malicious app, Sideloaded app, Insecure Wi-Fi , and so on).
CylanceOPTICS	Detection rules contain MITRE tactics, techniques, and sub-techniques to define the classification and sub-classification of an alert.
CylanceGATEWAY	The classification corresponds to the overall category of alerts (for example, Network Access Control) and the sub-classification corresponds to the specific alert type that displays in the management console (for example, Reputation, DNS Tunneling, Signature detection, and Zero-Day detection).
CylanceAVERT	The classification is determined by the exfiltration event.

Description

The description of an alert is a characteristic that provides a short segment of information about the alert. Alerts with matching descriptions are more likely to be grouped together.

Key indicators

Key indicators are the detection content that are common across every individual alert in an alert group. The aggregation process compares the key indicators of alerts to determine whether they should be grouped together. For example, if a file contains a key indicator SHA256 hash, the hash value is identical within each alert inside an alert group.

The key indicators of an alert vary by service:

Service	Factors
CylancePROTECT Desktop	For threat alerts, the key indicator is the SHA256 hash. For memory protection alerts, the key indicators are the unique characteristics of the event (for example, file data such as the SHA256 hash and the risk score).
CylancePROTECT Mobile	Key indicators correspond to the unique characteristics of a given mobile alert (for example, the package name of a sideloaded app, the SSID of an insecure Wi-Fi network, the model of an unsupported device, and so on).
CylanceOPTICS	Key indicators are the uniquely identifying facets of the artifacts that are associated with an alert. For example, for process artifacts, the key indicators are the following facets: SHA256 hash, file path, and command line argument. These facets establish a unique signature for the process artifact type that can be compared to other alerts. The key indicator facets for an alert group are common across the individual alerts in the group.
CylanceGATEWAY	The key indicators are "Network connection" and "DNS request".
CylanceAVERT	The key indicators vary by the artifact type. For email alert artifacts, the key indicator is the conversationID. For browser and file exfiltration alert artifacts, the key indicator is the UserName.

Response

For services that execute mitigation actions, this is the action that you configured the service to execute in response to the detection. For example, for

CylancePROTECT Desktop

threat alerts, a response may be one of the following: waived, quarantined, unsafe, or abnormal.

For services that don't execute mitigation actions, this captures relevant information from the integrated service. Alerts with matching responses are more likely to be grouped together.

Time

The time that an alert occurs relative to other alerts is factored into how alerts are grouped. An alert is added to an existing group if the priority, classification, sub-classification, description, key indicators, and response of the alert match that group, the alert occurs within 24 hours of the most recent alert in that group, and the alert occurs within 7 days (168 hours) of the oldest alert in that group. If the alert matches the above criteria but occurs outside of the 24 hour window from the most recent alert in the group, or outside of the 7 day window from the oldest alert in the group, it is added to a new group.

The 7 day window ensures that alert groups have a fixed period and do not grow indefinitely.