Managing alerts across Cylance Endpoint Security services
Cylance Endpoint Security
servicesThe Alerts view gives you a comprehensive way to review the alerts that are detected and correlated across
Cylance Endpoint Security
services, making it easier for you to identify and track prevailing threat patterns in your corporate ecosystem and resolve collections of alerts more efficiently. The Alerts view replaces the need to investigate alerts from various sections of the console that are each dedicated to a specific service such as CylancePROTECT Desktop
or CylanceOPTICS
. You can use the Alerts view to review, investigate, and manage alerts from any of the Cylance Endpoint Security
services that your environment supports.Service | Supported by the Alerts view |
---|---|
CylancePROTECT Desktop | Threat telemetry, memory protection alerts, and script control alerts from the CylancePROTECT Desktop agent on desktop devices. |
CylancePROTECT Mobile | Alerts detected by the CylancePROTECT Mobile app. |
CylanceOPTICS | Alerts detected by the CylanceOPTICS agent on desktop devices. |
CylanceGATEWAY | Network protection settings that you have configured or the destination reputations that CylanceGATEWAY has determined to be high risk. |
CylanceAVERT | Exfiltration events from the CylanceAVERT agent on desktop devices. |
Okta connector | Okta user event telemetry using the BlackBerry Okta connector.Requires a CylanceENDPOINT Pro license. |
Mimecast connector | Mimecast attachment protection telemetry using the BlackBerry Mimecast connector.Requires a CylanceENDPOINT Pro license. |
The initial Alerts view is a summary that groups similar alerts based on criteria such as priority, alert classification, configured responses, and other key alert attributes. For more information about the criteria, see How Cylance Endpoint Security groups alerts.
The automated grouping of alerts reflects both the frequency and prevalence of alerts, giving analysts a clear view of how often threats occur and where they occur. By default, the alert groups are sorted in descending order by priority to provide a top-down view of all relevant security telemetry. Each group displays icons for the types of key indicator artifacts that are associated with the group (for example, File, Process, Email, and so on). You can click a key indicator icon to review the attributes of the key indicator, and, where applicable, you can copy or filter by those values. As new alerts are detected and processed from the telemetry sources, they are added to an existing group or to a new group.
The Alerts view supports single detection and multi-detection alerts. Alert detection rules can sometimes perform multiple detections before an alert is generated and displayed in the Alerts view. Each detection is modeled using an event (for example, File Opened, Registry Key Added, and so on).
You can click an alert group to access the following information:
- The alert overview tab that summarizes detection details and key indicators relevant to the group.
- The key indicators tab shows the detection attributes that are identical in each individual alert within the group. For example, if the key indicator was a file hash, that hash was detected in each alert, whether it was from the same device or different devices. The key indicators are represented visually to show the relationship between parent, child, and sibling objects. For multi-detection alerts, the key indicators are included within each event and are summarized in the order of execution.
- The list of individual alerts in the group. You can click an individual alert to open granular details. You can also view the full set of artifacts, represented as icons, that are associated with the alert. The artifacts contain the full set of facets captured by the underlying detection engine. Like key indicators, these artifacts are represented visually to show the relationship between parent, child, and sibling objects. For multi-detection alerts, the key indicators are included within each event and are summarized in the order of execution.
- You can use the AI-poweredCylance Assistantto provide a summary analysis of an alert group, and detailed analysis for process and script artifacts within an alert group. TheCylance Assistantleverages rich cybersecurity knowledge sources to provide valuable information to aid you in your threat investigations. For more information, see Use the AI-powered Cylance Assistant to investigate alerts.
Depending on the types of alerts in a group, you may also be able to perform management actions. For example, for
CylancePROTECT Desktop
threat alerts, you can add a file to or remove a file from the global safe list or global quarantine list.