Managing alerts in the Cylance Multi-Tenant Console Skip Navigation

Managing alerts in the
Cylance
Multi-Tenant Console

The Alerts view gives you a comprehensive way to review alerts that are detected and correlated across all your tenants from a single partner account in the
Cylance
Multi-Tenant Console
. This makes it easier for you to identify and track prevailing threat patterns in your corporate ecosystem and resolve collections of alerts more efficiently. The correlation of alerts across all tenants offers a more complete view of potential threats and allows for a more holistic approach to protecting your organization's employees and data.
The Alerts view is a superset of the alert groups found within each tenant. It augments the alert triage experience for individual tenants and contains a Tenant column that correlates an alert group to a specific tenant. For information on how to filter by tenant, see View and manage aggregated alerts. You can use the Alerts view to search, sort, and investigate alerts through a read-only experience. To access and operate on individual tenants within your organization, you can use the Tenants view from the
Cylance
console. When an individual alert within a group contains a
Detection Detail
button, this indicates that relevant cyber-security data is available from the
Cylance
console.
Service
Supported by the Alerts view
CylancePROTECT Desktop
Threat telemetry and memory protection alerts from the
CylancePROTECT Desktop
agent on desktop devices.
CylancePROTECT Mobile
Alerts detected by the CylancePROTECT Mobile app.
CylanceOPTICS
Alerts detected by the CylanceOPTICS agent on desktop devices.
CylanceGATEWAY
Network protection settings that you have configured or the destination reputations that
CylanceGATEWAY
has determined to be high risk.
CylanceAVERT
Exfiltration events from the
CylanceAVERT
agent on desktop devices.
The initial Alerts view is a summary that groups similar alerts based on criteria such as priority, alert classification, configured responses, and other key alert attributes. For more information about the criteria, see How the Cylance Multi-Tenant Console groups alerts.
The automated grouping of alerts reflects both the frequency and prevalence of alerts, giving analysts a clear view of how often threats occur and where they occur. By default, the alert groups are sorted in descending order by priority to provide a top-down view of all relevant security telemetry. Each group displays icons for the types of key indicator artifacts that are associated with the group (for example, File, Process, Email, and so on). You can click a key indicator icon to review the attributes of the key indicator, and, where applicable, you can copy or filter by those values. As new alerts are detected and processed from the telemetry sources, they are added to an existing group or to a new group.
The Alerts view supports single detection and multi-detection alerts. Alert detection rules can sometimes perform multiple detections before an alert is generated and displayed in the Alerts view. Each detection is modeled using an event (for example, File Opened, Registry Key Added, and so on).
You can click an alert group to access the following information:
  • The alert overview tab that summarizes detection details and key indicators relevant to the group.
  • The key indicators tab shows the detection attributes that were identical in each individual alert within the group. For example, if the key indicator was a file hash, that hash was detected in each alert, whether it was from the same device or different devices. The key indicators are represented visually to show the relationship between parent, child, and sibling objects. For multi-detection alerts, the key indicators are included within each event and are summarized in the order of execution.
  • The list of individual alerts in the group. You can click an individual alert to open granular details. You can also view the full set of artifacts, represented as icons, that are associated with the alert. The artifacts contain the full set of facets captured by the underlying detection engine. Like key indicators, these artifacts are represented visually to show the relationship between parent, child, and sibling objects. For multi-detection alerts, the key indicators are included within each event and are summarized in the order of execution.
Depending on the types of alerts in a group, you may also be able to perform management actions. For example, for
CylancePROTECT Desktop
threat alerts, you can add a file to or remove a file from the global safe list or global quarantine list at the tenant level. The performed actions will only apply against the individual tenants.