What are the Advanced Threat Event Classification Types, and What do they Represent?
Summary: This article outlines the Threat Classification Types that are outlined within the Dell Security Management Server and Dell Security Management Server Virtual, detailed within each under the Advanced Threat Events data received from endpoints. ...
Instructions
- As of May 2022, Dell Endpoint Security Suite Enterprise has reached End of Maintenance. This article is no longer updated by Dell. For more information, reference Product Life Cycle (End of Support / End of Life) Policy for Dell Data Security. If you have any questions on alternative articles, either reach out to your sales team or contact endpointsecurity@dell.com.
- Reference Endpoint Security for additional information about current products.
Affected Products:
- Dell Security Management Server
- Dell Security Management Server Virtual
- Dell Endpoint Security Suite Enterprise
Dell Endpoint Security Suite Enterprise collects event data from endpoints and sends this event data to the Dell Security Management Server during the check-in of endpoints. This event data is analyzed and any Portable Executables, active application executions, and scripts that are run or found on the endpoints that the Cylance engine detects as a potential threat are sorted and classified within the Dell Security Management Server. The list below outlines the Threat Classification Types that are displayed within the Advanced Threat Events tab in a Dell Security Management Server that is managing clients with Advanced Threat Prevention enabled.
ThreatFound
Severity: Critical
Detail: This event indicates a Portable Executable (PE) has been identified on a device but has not been blocked or otherwise quarantined on the endpoint, indicating an active threat on the computer.
ThreatBlocked
Severity: Warning
Detail: Indicates that a Portable Executable (PE) has been identified on the device, though its execution has been blocked. This threat has not been quarantined, and is likely due to either the policy to Automatically Quarantine has not been enabled, or that the file is in a location that we are unable to write to with the local SYSTEM account (network share, USB device that has been removed, and so on).
ThreatTerminated
Severity: Warning
Detail: This event indicates a Portable Executable (PE) has been identified on the device, and its process was killed, as it was found to be running. This does not indicate that the file was also quarantined, as the PE could have been run from another location. It is suggested to look for another event that is correlated with this endpoint and executable to validate that the threat was properly contained.
MemoryViolationBlocked
Severity: Warning
Detail: This event indicates that an executable or script that is attempted to run but was in violation of the Memory Protection or Script Control policy. The execution of the executable or script was then blocked. Typically, this denotes the correlating Memory Protection or Script Control policy outlined was set to "Block."
MemoryViolationTerminated
Severity: Warning
Detail: This event indicates that an executable or script was found to be running and in violation of the Memory Protection or Script Control policy. The executable or script was later terminated. Typically, this denotes the correlating Memory Protection or Script Control policy outlined was set to "Terminate."
MemoryViolation
Severity: Warning
Detail: This event indicates that an executable or script was found that was in violation of the Memory Protection or Script Control Policy. The executable or script had no action that is taken against it, likely due to policy being set to "Allow."
ThreatRemoved
Severity: Information
Detail: This event indicates that a previously identified Portable Executable (PE), was determined to be a potential threat, before it was removed from the endpoint. This could indicate that the PE was removed from quarantine or removed from the initial location. This is common to see with PEs that were initially detected on removable media (USB, CD-ROM, and so on).
ThreatQuarantined
Severity: Information
Detail: This event indicates that a Portable Executable (PE) was determined to be a potential threat and was then placed within the quarantine successfully. This indicates that the policy to Automatically Quarantine threats based on its classification of Abnormal (Cylance Score of 0 - 60) or Unsafe (Cylance Score of 60 - 100) is enabled.
ThreatWaived
Severity: Information
Detail: This event indicates a Portable Executable (PE) that was determined to be a potential threat, has been Waived based on the Global SafeList or by a local Waive. This could also indicate that the SHA256 hash has been added to the "Waive" or "Global Safe List" policies within the Dell Security Management Server.
ThreatChanged
Severity: Information
Detail: This event denotes when a Portable Executable’s (PE) Cylance score has changed. This typically happens due to the two step scoring that Cylance does. The local scoring engine’s analysis of the threat may have not matched the Cylance cloud engine’s analysis. In these instances, due to the additional data that the Cylance cloud engine has, the score that the Cylance cloud engine produces is used. This may also indicate that an update to Cylance has initialized a reanalysis of files that were previously deemed threats, and a new score was calculated that resolved this PE to no longer be considered a threat.
ProtectionStatusChanged
Severity: Information
Detail: This event denotes when an endpoint has had any protection status changed. This is triggered when the Dell Encryption Management Agent reconnects to the Cylance services through the Cylance plugins. This is commonly triggered when an endpoint has rebooted, as there is a small period where the CSF may have not connected to the Cylance plugins during boot.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.