Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Administration
  4. Cylance Endpoint Security Administration Guide
  5. Managing alerts across Cylance Endpoint Security services

Managing alerts across
Cylance Endpoint Security
 services

The Alerts view gives you a comprehensive way to review the alerts that are detected and correlated across
Cylance Endpoint Security
 services, making it easier for you to identify and track prevailing threat patterns in your corporate ecosystem and resolve collections of alerts more efficiently. The Alerts view replaces the need to investigate alerts from various sections of the console that are each dedicated to a specific service such as
CylancePROTECT Desktop
 or
CylanceOPTICS
. You can use the Alerts view to review, investigate, and manage alerts from any of the
Cylance Endpoint Security
 services that your environment supports.
Service
Supported by the Alerts view
CylancePROTECT Desktop
Threat telemetry, memory protection alerts, and script control alerts from the
CylancePROTECT Desktop
 agent on desktop devices.
CylancePROTECT Mobile
Alerts detected by the CylancePROTECT Mobile app.
CylanceOPTICS
Alerts detected by the CylanceOPTICS agent on desktop devices.
CylanceGATEWAY
Network protection settings that you have configured or the destination reputations that
CylanceGATEWAY
 has determined to be high risk.
CylanceAVERT
Exfiltration events from the
CylanceAVERT
 agent on desktop devices.
Okta
 connector
Okta
 user event telemetry using the BlackBerry Okta connector.
Requires a CylanceENDPOINT Pro license.
Mimecast
 connector
Mimecast
 attachment protection telemetry using the BlackBerry Mimecast connector.
Requires a CylanceENDPOINT Pro license.
The initial Alerts view is a summary that groups similar alerts based on criteria such as priority, alert classification, configured responses, and other key alert attributes. For more information about the criteria, see How Cylance Endpoint Security groups alerts.
The automated grouping of alerts reflects both the frequency and prevalence of alerts, giving analysts a clear view of how often threats occur and where they occur. By default, the alert groups are sorted in descending order by priority to provide a top-down view of all relevant security telemetry. Each group displays icons for the types of key indicator artifacts that are associated with the group (for example, File, Process, Email, and so on). You can click a key indicator icon to review the attributes of the key indicator, and, where applicable, you can copy or filter by those values. As new alerts are detected and processed from the telemetry sources, they are added to an existing group or to a new group.
The Alerts view supports single detection and multi-detection alerts. Alert detection rules can sometimes perform multiple detections before an alert is generated and displayed in the Alerts view. Each detection is modeled using an event (for example, File Opened, Registry Key Added, and so on).
You can click an alert group to access the following information:
  • The alert overview tab that summarizes detection details and key indicators relevant to the group.
  • The key indicators tab shows the detection attributes that are identical in each individual alert within the group. For example, if the key indicator was a file hash, that hash was detected in each alert, whether it was from the same device or different devices. The key indicators are represented visually to show the relationship between parent, child, and sibling objects. For multi-detection alerts, the key indicators are included within each event and are summarized in the order of execution.
  • The list of individual alerts in the group. You can click an individual alert to open granular details. You can also view the full set of artifacts, represented as icons, that are associated with the alert. The artifacts contain the full set of facets captured by the underlying detection engine. Like key indicators, these artifacts are represented visually to show the relationship between parent, child, and sibling objects. For multi-detection alerts, the key indicators are included within each event and are summarized in the order of execution.
Depending on the types of alerts in a group, you may also be able to perform management actions. For example, for
CylancePROTECT Desktop
 threat alerts, you can add a file to or remove a file from the global safe list or global quarantine list.