Skip Navigation

How
Cylance Endpoint Security
groups alerts

Cylance Endpoint Security
uses the following criteria to group alerts from various services, automating the process to allow you to scope and optimize your threat-hunting and resolution activities to logical groupings of related alerts. The grouping logic is built and maintained by
BlackBerry
, and is dynamically designed to handle alerts from a range of integrated services. The result is a zero-touch experience that automates frequency and prevalence analysis, making it easier for you to triage and prioritize your cybersecurity efforts.
A new alert is added to an existing alert group when all of the following conditions are met:
  • The priority, classification, sub-classification, description, key indicators, and response of the alert match that group.
  • The alert is detected within 7 days (168 hours) of the oldest alert in that group.
A new alert group is created when an alert is detected that does not satisfy all of these conditions.

Priority

The priority of an alert, which correlates to the urgency of the issue and the potential impact on your organization’s environment, is factored into how alerts are grouped. The Alerts view groups the highest priority alerts across the telemetry sources to help you view and resolve the most important alerts first.
The factors that determine the priority of an alert vary by service:
Service
Factors
CylancePROTECT Desktop
  • For threat alerts, the priority is always high in the Alerts view, even if the priority of the alert is lower in Protection > Threats in the management console. The purpose of this elevated priority in the Alerts view is to indicate the urgency of malware detections.
  • For memory protection and script control alerts, the priority is determined by the nature of the event, as configured by
    BlackBerry
    cybersecurity analysts. The priority is based on the overall severity and relevance for investigation.
CylancePROTECT Mobile
Alerts use a priority value that corresponds to the severity that is displayed in the management console and in the CylancePROTECT Mobile app.
CylanceOPTICS
The priority is determined by the configuration of the CylanceOPTICS detection rules.
CylanceGATEWAY
Priority is based on the network protection settings that you configure or the reputation of a destination, as determined by
CylanceGATEWAY
, with a high risk level. For example,
CylanceGATEWAY
might generate alerts to display in the Alerts view in the following scenarios:
  • Destination reputation detections:
    • When enabled, the alerts are generated based on the risk level that you set. For example, if you set the risk level to "Medium and higher", alerts are generated for all the detections with the risk level of medium and high.
    • When not enabled, alerts that are determined to have a high risk level are generated by default.
  • Signature detections:
    • When enabled, alerts are generated for blocked signature detections and are displayed with a high risk level.
    • When not enabled,
      CylanceGATEWAY
      will not generate alerts.
  • For DNS Tunneling and Zero Day detections, alerts are generated for detections with a high risk level.
CylanceAVERT
The priority is always high in the Alerts view.
Mimecast
The priority is determined through
Mimecast
attachment risk scoring.
Okta
The priority is configured by
BlackBerry
cybersecurity analysts.

Classification and sub-classification

The alert classification and sub-classification identifies and labels the underlying detection type to provide structured alert content that can better describe the alert detected by a given service. Each service will define a specific set of classifications and sub-classifications to clarify the nature of the alert.
Classification and sub-classification data are used to identify and group similar alerts.
The factors that determine the classification and sub-classification of an alert vary by service:
Service
Factors
CylancePROTECT Desktop
  • For threat alerts, the classification and sub-classification correspond to the file classifications for CylancePROTECT Desktop threat alerts.
  • For memory protection alerts, the classification and sub-classification correspond to the memory protection violation types.
  • For script control alerts, the classification indicates the overall alert type (for example, Script Control, Potentially Unwanted Program, Malware) and the sub-classification provides further detail (for example, Script Executed, Script Blocked).
CylancePROTECT Mobile
The classification corresponds to an overall category of alerts (for example, Device Security or Network threats) and the sub-classification corresponds to the specific alert type that displays in the management console and in the app (for example, Malicious app, Sideloaded app, Insecure
Wi-Fi
, and so on).
CylanceOPTICS
Detection rules contain MITRE tactics, techniques, and sub-techniques to define the classification and sub-classification of an alert.
CylanceGATEWAY
The classification corresponds to the overall category of alerts (for example, Network Access Control) and the sub-classification corresponds to the specific alert type that displays in the management console (for example, Reputation, DNS Tunneling, Signature detection, and Zero-Day detection).
CylanceAVERT
The classification is determined by the exfiltration event.
Mimecast
The classification of an alert is the Initial Access Mitre tactic (TA0001). The sub-classification for the same alert is the Phishing Mitre technique (T1566).
Okta
The classification of an alert is either user access control (for example, if the maximum sign in attempts are exceeded) or network access control (for example, if the IP request is blocked due to a blocklist rule). If the alert classification is user access control, the sub-classification will be user lockout. If the alert classification is network access control, the sub-classification will be IP address blocked.

Description

The description of an alert is a characteristic that provides a short segment of information about the alert. Alerts with matching descriptions are more likely to be grouped together.

Key indicators

Key indicators are the detection content that are common across every individual alert in an alert group. The aggregation process compares the key indicators of alerts to determine whether they should be grouped together. For example, if a file contains a key indicator SHA256 hash, the hash value is identical within each alert inside an alert group.
The key indicators of an alert vary by service:
Service
Factors
CylancePROTECT Desktop
  • For threat alerts, the key indicator is the SHA256 hash.
  • For memory protection alerts, the key indicators are the unique characteristics of the event (for example, file data such as the SHA256 hash and the risk score).
  • For script control alerts, the key indicators are the unique characteristics of the event (for example, a file SHA256 hash, script type, and script name).
CylancePROTECT Mobile
Key indicators correspond to the unique characteristics of a given mobile alert (for example, the package name of a sideloaded app, the SSID of an insecure
Wi-Fi
network, the model of an unsupported device, and so on).
CylanceOPTICS
Key indicators are the uniquely identifying facets of the artifacts that are associated with an alert. For example, for process artifacts, the key indicators are the following facets: SHA256 hash, file path, and command line argument. These facets establish a unique signature for the process artifact type that can be compared to other alerts. The key indicator facets for an alert group are common across the individual alerts in the group.
CylanceGATEWAY
The key indicators are "Network connection" and "DNS request".
CylanceAVERT
The key indicators vary by the artifact type. For email alert artifacts, the key indicator is the conversationID. For browser and file exfiltration alert artifacts, the key indicator is the UserName.
Mimecast
The key indicators are the facets of the artifacts that are associated with an alert. For example, for email attachment artifacts, the key indicators are the SHA256 hash of the email file attachment.
Okta
The key indicators are the accounts associated with user login requests and the IP address associated with blocked login attempts.

Response

For services that execute mitigation actions, this is the action that you configured the service to execute in response to the detection. For example, for
CylancePROTECT Desktop
threat alerts, a response may be one of the following: waived, quarantined, unsafe, or abnormal.
For services that don't execute mitigation actions, this captures relevant information from the integrated service. Alerts with matching responses are more likely to be grouped together.

Time

The time that an alert occurs relative to other alerts is factored into how alerts are grouped. An alert is added to an existing group if the priority, classification, sub-classification, description, key indicators, and response of the alert match that group, and the alert occurs within 7 days (168 hours) of the oldest alert in that group. If the alert matches the above criteria but occurs outside of the 7 day window from the oldest alert in the group, it is added to a new group. The 7 day window ensures that alert groups have a fixed period and do not grow indefinitely.