Investigate alerts

Monitor the alerts regularly to contain events and take remediation actions for the events. Alerts also help you understand the severity of the impact of the events. The alerts generated in Xprotect provide details such as the relevant Process tree on the host, the reason for the alert, and the rule that generated the violation.

We recommend that you understand more about types of Xprotect alerts, Alert categories, Alert reasons, Severity levels, and other categorizations of alerts before you start investigating alerts.

The alerts-related tasks you can perform from the Alerts pages can be broadly categorized as Containment tasks, Exploratory tasks, Remediation tasks, and Alert management tasks. Some of these tasks are available on Summary and Detailed Alerts pages, and others are available only on one of these pages.

Containment tasks

Containment tasks can help you contain the infection and reduce the impact on the host and other connected hosts. Containment tasks are available on the Alerts > Detailed Alerts page.

Isolate malicious files on hosts

As an immediate containment action for critical alerts (Severity = High) for known malicious files, you can isolate the malicious files from the better part of the hosts. Isolated files are moved to an Xprotect-specific quarantine folder on the hosts. Isolating files can help keep the host running without severe outcomes and avoid lateral propagation of the infection to other connected hosts.

Isolated files can be fetched remotely to the instance for further analysis, deleted, or restored to their original location on the hosts. All isolated files are listed on the Files > File Isolation page.

Fetch malicious files from hosts

At times, files associated with important alerts ( Severity = Medium or Low) may need more analysis before they are deemed suspicious or malicious. In some cases, the suspected files may be associated with system processes, and immediate file isolation may not be possible without adequate measures to keep the hosts running normally. 

Use the File fetch feature to fetch a copy of the suspected files to the instance for further analysis. All fetched files are listed on the Files > File Isolation page, and you can isolate the files that you find truly suspicious or malicious. 

Exploratory tasks

These tasks help you further investigate the alerts before you make suitable changes to the Xprotect policies.

Download alerts

Alerts can be downloaded as a CSV file for offline analysis. All the details displayed for an alert in the Xprotect UI are included in the CSV file.

  • In the Detailed Alerts tab, select one or more alerts, and click Download logs (in the floating panel on the top).

See Process tree on hosts

See the Process tree on the host that generated the collection of alerts (Summary page) and the Process tree for an individual alert. You can see the Process tree in the Tree view (hierarchical) and Flat view (tabular).  

  1. In the Summary tab or Detailed Alerts tab, click the down arrow for an alert.

  2. Click Show Process Tree.

  3. (Optional) Do the following in the Process Tree fly panel:

    1. Click the Tree view or Flat view icons to toggle the view of the Process tree.

    2. Click the Fetch Process Tree from Host icon to fetch the latest Process tree.

Remediation tasks

These tasks help you take appropriate remediation actions based on the alerts.

Add to Policy as rules

Alerts can be added as rules to the policy for which they were generated to reduce false positives.

  1. In the Summary tab, click the 3-dot menu of an alert row and click Add to Policy as a rule.

  2. In the Add to Policy as a Rule fly panel, and do the following:

    1. Select the unassigned rule and move the rule to a stack in the policy.

    2. (Optional) Click Reset Rules to restore the move to the stack

    3. Click Save Policy.

    4. (Optional) To push the updated policy, select Immediately push policy update.

      Updated policies can also be pushed from the 3-dot menu of the policy.

Override MD5s of processes

MD5 overrides supersede the Trust values assigned by the Xprotect Threat Intelligence engine to the MD5 hashes of the applications and processes. MD5 override is an instance-level change and supersedes the AutoTrust settings and controls of all the policies in the instance.

Alert management tasks

An effective alert management strategy can help you reduce alert fatigue in the instance and focus on relevant alerts. Tasks to suppress or dismiss alerts are available on the Alerts > Summary page. Alerts filters apply to both the Summary and Detailed Alerts pages.

Filter alerts and create Bookmarks

Alerts can be filtered by multiple criteria (filters) such as the Process that caused the alert, Process scopes (path, MD5, command line, and so on), Alert category (type of rule that caused the alert), Severity, and Action taken for the alert (Blocked, Monitored, Killed, or Killed as Child for Application Control alerts and Access Monitored or Access Blocked for File Protect alerts). See some examples for filtering alerts in Xprotect.

Suppress Whitelist alerts

Whitelist alerts can be suppressed temporarily from appearing on the Summary page. You can also select scopes at which the alert must be suppressed. Suppressed alerts are listed in the Suppressed Alerts tab in the policies relevant to the alerts.

Alerts generated for Rule Rings and Blacklist rules cannot be suppressed.

  1. In the Summary tab, click the 3-dot menu of an alert(s) row and click Suppress Alert.

  2. In the Suppress Alert fly panel, set the suppression scope (Directory, Path, or File Name).

  3. (Optional) Click Show Advanced and do the following:

    1. Add MD5s and command lines for which alerts must be suppressed.

    2. Select the Whitelist alerts that must be suppressed - all Whitelist alerts, or Whitelist list alerts generated for Alert Reason = Process Not in Whitelist or other Alert reasons.

    3. Select to suppress Whitelist alerts by Alert Action - All Action(Blocked, Killed, Monitored) or Only Monitored Alerts

    4. (Optional) To push the updates, select Immediately push policy update.

  4. Click Save.

Suppressed alerts can be deleted from the Suppressed Alerts tab in the relevant policies. Any future alerts related to the same unique combination are listed on the Alerts pages when they occur.

  • Click the 3-dot menu of a suppressed alert and click Delete.

Suppressed alerts can also be edited to apply new scopes, Alert reasons, and Alert actions.

  • Click the 3-dot menu of a suppressed alert, click Edit, make the changes, and push the updated policy.

Dismiss alerts

Dismiss alerts when you want to remove them from the Summary page and retain only relevant and actionable alerts on the page. Any future alerts related to the same unique combination are listed on the Summary page when they occur. Dismissed alerts are available for analysis on the Detailed Alerts page.

  • In the Summary tab, select one or more alerts rows, click Dismiss Alerts (in the floating panel at the top), and click Dismiss Alert.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.