How Cylance Endpoint Security groups alerts
Cylance Endpoint Securitygroups alerts
Cylance Endpoint Securityuses the following criteria to group alerts from various services, automating the process to allow you to scope and optimize your threat-hunting and resolution activities to logical groupings of related alerts. The grouping logic is built and maintained by
BlackBerry, and is dynamically designed to handle alerts from a range of integrated services. The result is a zero-touch experience that automates frequency and prevalence analysis, making it easier for you to triage and prioritize your cybersecurity efforts.
A new alert is added to an existing alert group when all of the following conditions are met:
- The priority, classification, sub-classification, description, key indicators, and response of the alert match that group.
- The alert occurs within 24 hours of the most recent alert in that group.
- The alert is detected within 7 days (168 hours) of the oldest alert in that group.
A new alert group is created when an alert is detected that does not satisfy all of these conditions.
The priority of an alert, which correlates to the urgency of the issue and the potential impact on your organization’s environment, is factored into how alerts are grouped. The Alerts view groups the highest priority alerts across the telemetry sources to help you view and resolve the most important alerts first.
The factors that determine the priority of an alert vary by service:
Priority is based on the network protection settings that you configure or the reputation of a destination, as determined by
CylanceGATEWAY, with a high risk level. For example,
CylanceGATEWAYmight generate alerts to display in the Alerts view in the following scenarios:
The priority is always high in the Alerts view.
The priority is determined through
Mimecastattachment risk scoring.
The priority is configured by
Classification and sub-classification
The alert classification and sub-classification identifies and labels the underlying detection type to provide structured alert content that can better describe the alert detected by a given service. Each service will define a specific set of classifications and sub-classifications to clarify the nature of the alert.
Classification and sub-classification data are used to identify and group similar alerts.
The factors that determine the classification and sub-classification of an alert vary by service:
The classification corresponds to an overall category of alerts (for example, Device Security or Network threats) and the sub-classification corresponds to the specific alert type that displays in the management console and in the app (for example, Malicious app, Sideloaded app, Insecure
Wi-Fi, and so on).
Detection rules contain MITRE tactics, techniques, and sub-techniques to define the classification and sub-classification of an alert.
The classification corresponds to the overall category of alerts (for example, Network Access Control) and the sub-classification corresponds to the specific alert type that displays in the management console (for example, Reputation, DNS Tunneling, Signature detection, and Zero-Day detection).
The classification is determined by the exfiltration event.
The classification of an alert is either user access control (for example, if the maximum sign in attempts are exceeded) or network access control (for example, if the IP request is blocked due to a blocklist rule). If the alert classification is user access control, the sub-classification will be user lockout. If the alert classification is network access control, the sub-classification will be IP address blocked.
The description of an alert is a characteristic that provides a short segment of information about the alert. Alerts with matching descriptions are more likely to be grouped together.
Key indicators are the detection content that are common across every individual alert in an alert group. The aggregation process compares the key indicators of alerts to determine whether they should be grouped together. For example, if a file contains a key indicator SHA256 hash, the hash value is identical within each alert inside an alert group.
The key indicators of an alert vary by service:
Key indicators correspond to the unique characteristics of a given mobile alert (for example, the package name of a sideloaded app, the SSID of an insecure
Wi-Finetwork, the model of an unsupported device, and so on).
Key indicators are the uniquely identifying facets of the artifacts that are associated with an alert. For example, for process artifacts, the key indicators are the following facets: SHA256 hash, file path, and command line argument. These facets establish a unique signature for the process artifact type that can be compared to other alerts. The key indicator facets for an alert group are common across the individual alerts in the group.
The key indicators are "Network connection" and "DNS request".
The key indicators vary by the artifact type. For email alert artifacts, the key indicator is the conversationID. For browser and file exfiltration alert artifacts, the key indicator is the UserName.
The key indicators are the facets of the artifacts that are associated with an alert. For example, for email attachment artifacts, the key indicators are the SHA256 hash of the email file attachment.
The key indicators are the accounts associated with user login requests and the IP address associated with blocked login attempts.
For services that execute mitigation actions, this is the action that you configured the service to execute in response to the detection. For example, for
CylancePROTECT Desktopthreat alerts, a response may be one of the following: waived, quarantined, unsafe, or abnormal.
For services that don't execute mitigation actions, this captures relevant information from the integrated service. Alerts with matching responses are more likely to be grouped together.
The time that an alert occurs relative to other alerts is factored into how alerts are grouped. An alert is added to an existing group if the priority, classification, sub-classification, description, key indicators, and response of the alert match that group, the alert occurs within 24 hours of the most recent alert in that group, and the alert occurs within 7 days (168 hours) of the oldest alert in that group. If the alert matches the above criteria but occurs outside of the 24 hour window from the most recent alert in the group, or outside of the 7 day window from the oldest alert in the group, it is added to a new group.
The 7 day window ensures that alert groups have a fixed period and do not grow indefinitely.