Threat Lifecycle

When a threat exists, it shows in Threats and is included in the information shown throughout the Management Console.

How is a Threat generated?

  • The EDR Agent engines detect suspicious or malicious activity
  • A user marks events as suspicious or malicious

The Agent can detect only, or also mitigate threats automatically, based on the EDR Policy settings configured for the Agent.

What Statuses can a threat have?

Indicator Description
Marked as Benign - Your security team marked this threat as benign (the Analyst Verdict is False Positive)
Mitigated -The Quarantine mitigation action completed successfully - The same status shows if Remediation or Rollback also completed
Not Mitigated - No mitigation actions were completed, or the threat was killed but no other action was done

How is the Confidence Level decided?

The AI Confidence Level is set automatically by the EDR Agent AI. Users cannot change this.

You can use the Analyst Verdict setting to select your own conclusion about the threat.

The Confidence Levels are:

  • Malicious -The Agent AI is very confident that the threat is malicious
  • Suspicious - The Agent AI found traits that are suspicious, but not enough to mark it as malicious
  • N/A - Detections marked by users as threats

What does the Mitigation Action Status show?

Each mitigation action that is initiated shows its status. The status shows in the Forensics page, in Analyze > Threats table and throughout the Management Console.

In the Incident details header, see details about the Mitigation Actions taken and how many files were effected. If an action requires a reboot, this shows in the status. Numbers of files effected are available for new threats on Kauai SP3, on Agents that support Mitigation Reports.

Move the cursor over a Mitigation action to see the tooltip which shows a summary of what was done.

  • For new threats detected on Agents that support the mitigation report, the header includes the number of items in the mitigation action. For example, 10/10.
  • If no numbers show for supported Agents, it means there was nothing for the Agent to act on - A success sign shows.

You can download the complete Mitigation CSV Report. This shows the details of mitigation actions that are not pending, including what exactly was done and to which files or processes. Download the mitigation CSV report from the Incident details in the Mitigation Action Status area or from the Timeline tab.

These are the statuses that each mitigation action can have:

  • Pending - The action initiated and is waiting for a response from the Agent
  • Success Pending Reboot - A reboot is required to complete the mitigation action because one or more activities on a file or process cannot complete - The endpoint shows that it requires a restart
  • Success or - The action completed successfully on all files or processes
  • Partial Success or - The action completed successfully on some files or processes but not all - See the number of files that completed successfully - We recommend that you move the cursor over the action to see a link to the Mitigation CSV Report, if the Agent version supports it.

  • Failed - One or more activities failed - This does not mean everything failed - We recommend that you see the Mitigation CSV Report for more details

What is the Analyst Verdict?

  • Analysts can investigate threats for hours or days to reach a conclusion - The Analyst Verdict gives you a place to record your Security team’s decisions: True Positive, Suspicious, False Positive
  • A recorded verdict for each threat gives you more visibility about what occurs in your environment: How many True positives, how many False positives, and how many threats that you are not sure about (Suspicious).
  • Having an Analyst Verdict helps teams work more efficiently and is easily searchable for future reference. For example, a suspicious threat enters your environment. You click the link in the Network History of the threat and see that the same threat was seen in your network a month ago, and a teammate marked it as a True Positive. You can now mark the threat as a True Positive without investigating again. (You might want to Add it to the Blacklist also)
  • If you set the Analyst Verdict to True Positive or Suspicious, it does not trigger any changes. If you set the Analyst Verdict to False Positive, the Threat Status changes to Marked as Benign. It does NOT automatically create exclusions or blacklist items
  • When you run a mitigation action on one or more items, you are prompted to set the Analyst Verdict.
    • If you create an exclusion for threats (Threat Actions > Add to Exclusions), the Analyst Verdict automatically changes to False Positive
    • If you add threats to the blacklist (Threat Actions > Add to Blacklist), the Analyst Verdict automatically changes to True Positive.
  • Each threat starts as Undefined - Before you can change a threat's Incident Status to Resolved, it must have an Analyst Verdict set
  • You can change the Analyst Verdict at any time if you get new information or regret your decision.

What does the Incident Status show?

Use the Incident Status to track your team's progress in handling each threat. In the Analyze > Threats table, filter the threats by their Incident Status, for example, to only see threats that are In-Progress or Unresolved.

  • Unresolved - Each threat starts as unresolved
  • In-Progress - Mark a threat as In-Progress if your team is working on it
  • Resolved - Mark a threat as Resolved if your team completed their work on it

Before you can change a threat's Incident Status to Resolved, it must have an Analyst Verdict set (not Undefined)