How Cylance Endpoint Security groups alerts Skip Navigation

How
Cylance Endpoint Security
groups alerts

Cylance Endpoint Security
uses the following criteria to group alerts from various services, automating the process to allow you to scope and optimize your threat-hunting and resolution activities to logical groupings of related alerts.
A new alert group is created when an alert is detected that does not satisfy all of these conditions.
Alert attribute
Description
Priority
The priority of an alert, which correlates to the urgency of the issue and the potential impact on your organization’s environment, is factored into how alerts are grouped. The Alerts view groups the highest priority alerts across the telemetry sources to help you view and resolve the most important alerts first.
The factors that determine the priority of an alert vary by service:
  • For
    CylanceOPTICS
    alerts, the priority is determined by the configuration of the CylanceOPTICS detection rules.
  • For
    CylancePROTECT Desktop
    threat alerts, the priority is always high in the Alerts view, even if the priority of the alert is lower in Protection > Threats in the management console. The purpose of this elevated priority in the Alerts view is to indicate the urgency of malware detections and to distinguish
    CylancePROTECT Desktop
    threat alerts from the alerts detected by other services.
  • For
    CylanceAVERT
    alerts, the priority is provided by
    CylanceAVERT
    and is always high in the Alerts view.
Category
The category of an alert refers to characteristics at the macro level that can be used to identify and group similar alerts.
The factors that determine the category of an alert vary by service:
  • For
    CylanceOPTICS
    , the classification of detection rules (for example, MITRE rules) are used to define the category of an alert.
  • For
    CylancePROTECT Desktop
     threat alerts, the category is always classified as "Threat."
  • For
    CylanceAVERT
    alerts, the category is determined by the exfiltration event.
Description
The description of an alert is a characteristic that provides a short segment of information about the alert. Alerts with matching descriptions are more likely to be grouped together.
Key indicators
The key indicators of an alert are the objects that are associated with that alert and the unique characteristics of those objects. The aggregation process compares the key indicators of alerts to determine whether they should be grouped together. Alerts with common key indicators that have matching priority, classification, description, and response, and occur within a certain time period, are grouped together.
The key indicators of an alert vary by service:
  • For
    CylanceOPTICS
    , key indicators are the uniquely identifying facets of the artifacts that are associated with an alert. For example, for process artifacts, the key indicators are the following facets: SHA256 hash, file path, and command line argument. These facets establish a unique signature for the process artifact type that can be compared to other alerts. The key indicator facets for an alert group are common across the individual alerts in the group.
  • For
    CylancePROTECT Desktop
    threat alerts, the key indicator is the SHA256 file hash.
  • For 
    CylanceAVERT
    , the key indicators vary by the artifact type:
    • For email alert artifacts, the key indicator is the conversationID.
    • For browser and file exfiltration alert artifacts, the key indicator is the UserName.
Response
For services that execute mitigation actions, this is the action that you configured the service to execute in response to the detection. For example, for
CylancePROTECT Desktop
threat alerts, a response may be one of the following: waived, quarantined, unsafe, or abnormal.
For services that don't execute mitigation actions, this captures relevant information from the integrated service. Alerts with matching responses are more likely to be grouped together.
Time
The time that an alert occurs relative to other alerts is factored into how alerts are grouped. When an alert is detected, other alerts that are detected within 7 days (168 hours) are candidates to be grouped with that alert based on other criteria. Alerts that occur after that 7 day window are part of a separate grouping.