How Cylance Endpoint Security groups alerts
Cylance Endpoint Security
groups alertsCylance Endpoint Security
uses the following criteria to group alerts from various services, automating the process to allow you to scope and optimize your threat-hunting and resolution activities to logical groupings of related alerts.A new alert group is created when an alert is detected that does not satisfy all of these conditions.
Alert attribute | Description |
---|---|
Priority | The priority of an alert, which correlates to the urgency of the issue and the potential impact on your organization’s environment, is factored into how alerts are grouped. The Alerts view groups the highest priority alerts across the telemetry sources to help you view and resolve the most important alerts first. The factors that determine the priority of an alert vary by service:
|
Category | The category of an alert refers to characteristics at the macro level that can be used to identify and group similar alerts. The factors that determine the category of an alert vary by service:
|
Description | The description of an alert is a characteristic that provides a short segment of information about the alert. Alerts with matching descriptions are more likely to be grouped together. |
Key indicators | The key indicators of an alert are the objects that are associated with that alert and the unique characteristics of those objects. The aggregation process compares the key indicators of alerts to determine whether they should be grouped together. Alerts with common key indicators that have matching priority, classification, description, and response, and occur within a certain time period, are grouped together. The key indicators of an alert vary by service:
|
Response | For services that execute mitigation actions, this is the action that you configured the service to execute in response to the detection. For example, for CylancePROTECT Desktop threat alerts, a response may be one of the following: waived, quarantined, unsafe, or abnormal.For services that don't execute mitigation actions, this captures relevant information from the integrated service. Alerts with matching responses are more likely to be grouped together. |
Time | The time that an alert occurs relative to other alerts is factored into how alerts are grouped. When an alert is detected, other alerts that are detected within 7 days (168 hours) are candidates to be grouped with that alert based on other criteria. Alerts that occur after that 7 day window are part of a separate grouping. |