You can access origin and behavior details about your alerts by clicking the Alert Triage icon.
Alert origin: Describes how the primary process for the alert was introduced onto the host, including information about how the primary process was written to disk.
Alert behaviors based on severity: Describes alert behaviors based on severity and displays an interactive TTP graph. Segments of the graph indicate the alert behavior category. Click a category label or graph segment to see a category's related TTPs, color coded by severity.
TTP color severity legend
-
Dark red: Severe
-
Bright red: High
-
Orange: Medium
-
Yellow: Low
-
Gray: None
Tip:
For additional information, see: TTPs and MITRE Techniques and TTP Reference.
Alert behavior categories
- Process Manipulation: Behaviors with intent to modify and/or read the memory of other processes that are running on the device.
- Example: Injects code into the memory of another process.
- Generic Suspect: Behaviors that are generic to multiple malware families, commonly exhibited by known "good" applications.
- Example: Attempts to persist beyond the reboot of a device and enumerating the running processes on a system.
- Data at Risk: Behaviors with intent to compromise the confidentiality, availability, or integrity of data on endpoints.
- Example: Ransomware-type behaviors or attempts to access user credentials.
- Emerging Threats: Behaviors associated with non-malware attacks.
- Example: Abuse of native command line utilities such as PowerShell, and/or the exploitation of related activities such as buffer overflows.
- Malware & Application Abuse: TTPs that are related to files with a generally known "bad" reputation, or applications seen executing files with known bad reputations.
Note: This category also represents the monitoring of the execution of system applications. However, these TTPs are given a lower priority rating because of the high likelihood of being non-malicious actions.
- Network Threat: Contains all TTPs that involve a process that is either communicating over the network or listening for incoming connections.