Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Endpoint Security
  4. Cylance Endpoint Security Administration Guide
  5. Managing alerts across Cylance Endpoint Security services
  6. View and manage aggregated alerts

View and manage aggregated alerts

Verify that your administrator role has the permissions required to use the Alerts view. The View alerts permission provides read-only access to the Alerts view. You require the Edit alerts and Delete alerts permissions to make changes to alert groups and individual alerts in this view. If you want to use the Alerts view to add a file from
CylancePROTECT Desktop
 threat alerts to the global safe list or global quarantine list, or to remove a file from these lists, your role requires the associated global list permissions. For more information, see Setting up administrators in the Setup content.
  1. In the management console, on the menu bar, click
    Alerts
    .
    To select the columns that you want to display, scroll to the right and click Column selection icon.
  2. Do any of the following:
    Task
    Steps
    Filter and sort alert groups.
    1. Click Column filter icon on a column and type or select the filter criteria. You can do any of the following:
      • Apply multiple filter criteria at once. To remove a filter, click x for that filter.
      • If you want to filter by Classification, Sub-classification, Description, or Key Indicators, do one of the following:
        • To find exact matches, click Settings icon >
          is equal to
          . Type a value to view matches. Click up to 5 matches to add to the filtering list, then click
          Apply
          .
        • To find matches that contain the specified value, click Settings icon >
          contains
          . Type one or more values (click Add icon to add additional values). Click
          Apply
          .
        When you view the results, you can click the filter displayed at the top of the screen to add or remove filter criteria.
      • If you filter by
        Count
        , click Settings icon for additional options (greater than, less than, and so on).
      • Filter by
        Product
         to scope results to specific
        Cylance Endpoint Security
         services.
      • Filter by
        Detection Time
         to scope results to a specific date and time range.
    2. To sort the alert groups in ascending or descending order by a column, click the name of the column (where applicable).
    View details for key indicators of an alert group and filter alert groups by key indicator type or value.
    1. Hover over a key indicator icon to see the type of object or event. Click an icon to view details.
    2. Where applicable, to view the full text of a truncated string value, hover over it and click The View icon..
    3. Where applicable, to copy a value, hover over it and click The Copy icon..
    4. To filter alert groups by key indicator, hover over it and click The Filter icon..
    View details for an alert group and individual alerts.
    1. Click an alert group.
    2. In the left pane, scroll down to view relationships between instigating and target objects. This view will show a single set of key indicators associated with individual events (files, users, executables, processes, and so on).
      For example, you may see a parent process object or executable file that is the instigating process for a child process. Events or objects at the same level are considered siblings under the same parent.
      Where applicable, you can hover over values and click The View icon. to view full text strings or The Copy icon. to copy the value. For process and script artifacts, you can click The Cylance Assistant icon. to generate an analysis by the
      Cylance Assistant
      . For more information, see Use the AI-powered Cylance Assistant to investigate alerts.
    3. For the individual device alerts, do any of the following:
      • Sort and filter the alert information.
      • Change the status of the alerts. See Status changes for alerts.
      • Assign the alerts to a user.
      • Add or change labels for the alerts.
    4. To open the details panel for an individual alert, click the alert. Do any of the following:
      • If applicable, you can click
        Detection Detail
         to view further details and actions in other areas of the console (for example, in the CylanceOPTICS detections view). The Detection Detail link will remain active for 60 days for
        CylancePROTECT Desktop
         threat alerts and for 30 days for other types of alerts.
      • Expand the artifacts associated with the alert to review details and view relationships between instigating and target objects and events. The complete set of objects associated with a detection rule are included in the artifacts view.
        Where applicable, you can hover over values and click The View icon. to view full text strings or The Copy icon. to copy the value. For process and script artifacts, you can click The Cylance Assistant icon. to generate an analysis by the
        Cylance Assistant
        . For more information, see Use the AI-powered Cylance Assistant to investigate alerts.
    Request
    CylanceMDR
     support
    This feature is available for
    CylanceMDR
     On Demand subscriptions only.
    If you observed an alert that you think is suspicious and you want the threat to be analyzed by an expert, you can request assistance from a
    CylanceMDR
     analyst on demand. The alert will be escalated to an analyst for investigation. You can use the
    CylanceMDR
     (CylanceGUARD) portal to communicate with the analyst about the escalated alert from the Escalations screen. For example, you might be asked to provide additional details about the alert.
    1. Click an alert group that contains
      CylancePROTECT Desktop
       threat alerts.
    2. On the right pane, click the
      CylanceMDR Support
       button.
    3. Click
      Request Support
       to confirm that you want to escalate the alert to an analyst.
    4. Follow up on the request through the
      CylanceMDR
       (CylanceGUARD) portal. See the
      CylanceMDR
        documentation      .
    If you want 24x7 threat monitoring, consider
    CylanceMDR
     Standard or Advanced subscriptions. For more information, see the
    CylanceMDR
     overview    .
    CylancePROTECT Desktop
     threat alerts: Add a file to or remove a file from the global safe list or global quarantine list.
    1. Click an alert group that contains
      CylancePROTECT Desktop
       threat alerts.
    2. Click
      Actions > Manage global list
      .
      The SHA256 hash of the file associated with the threat alerts is displayed. A notification is provided if the file already exists in the global safe list or global quarantine list.
    3. Select the appropriate action to add the file to or remove the file from the global safe list or global quarantine list. If the file already exists in the global safe list or global quarantine list, you can move it to the other list.
    4. If you are adding the file to the global safe list, in the
      Category
       drop-down list, click the appropriate category.
    5. If you are adding the file to a list, type the reason.
    6. Click
      Save
      .
    The changes are applied to the appropriate safe or quarantine list. There is no change to the alert group in the Alerts view.
    Change the status of alert groups.
    Do any of the following:
    • To change the status of an alert group, in the
      Status
       drop-down list, click the appropriate status.
    • To change the status of multiple alert groups, select the alert groups, click
      Change Status
      , click the appropriate status, and click
      Apply
      .
    Assign alert groups to a user.
    Do any of the following:
    • To assign an alert group to a user, in the
      Assignee
       column, click +, search for and click a user, and click
      Assign
      .
    • To assign multiple alert groups to a user, select the alert groups, click
      Assign Alert
      , search for and select a user, and click
      Assign
      .
    Add or change the label for alert groups.
    You can add custom labels to alert groups to provide short notes or reminders or to use as filter criteria. To view labels you must set the Labels column to display.
    1. Select one or more alert groups.
    2. Click
      Change Labels
      .
    3. Type a label and press ENTER or search for and select an existing label.
    4. Click
      Apply
      .
    To remove a label, click the label, click the x icon, and click
    Apply
    .
    Export alert data.
    Do any of the following:
    • To export details for all alert groups, click Export icon. Specify the file name and type and click
      Export
      .
    • To export details for all of the alerts within a group, click an alert group, then click Export icon. Specify the file name and type and click
      Export
      .
    Delete alert groups.
    1. Select one or more alert groups.
    2. Click
      Delete
      .
    3. Click
      Delete
       again to confirm.
    Delete alert groups from filter results
    1. Filter alert groups by the appropriate criteria.
    2. Do one of the following:
      • To delete all alert groups from the filter results, select the top-left check box and click
        Delete All
        . Click
        Delete All
         again to confirm.
      • To delete specific alert groups from the filter results, select the alert groups and click
        Delete
        . Click
        Delete
         again to confirm.