You can access origin and behavior details about your alerts by clicking the Alert Triage icon.

Alert origin: Describes how the primary process for the alert was introduced onto the host, including information about how the primary process was written to disk.

Alert behaviors based on severity: Describes alert behaviors based on severity and displays an interactive TTP graph. Segments of the graph indicate the alert behavior category. Click a category label or graph segment to see a category's related TTPs, color coded by severity.

TTP color severity legend

  • Dark red: Severe

  • Bright red: High

  • Orange: Medium

  • Yellow: Low

  • Gray: None


For additional information, see: TTPs and MITRE Techniques and TTP Reference.

Alert behavior categories

  • Process Manipulation: Behaviors with intent to modify and/or read the memory of other processes that are running on the device.
    • Example: Injects code into the memory of another process.
  • Generic Suspect: Behaviors that are generic to multiple malware families, commonly exhibited by known "good" applications.
    • Example: Attempts to persist beyond the reboot of a device and enumerating the running processes on a system.
  • Data at Risk: Behaviors with intent to compromise the confidentiality, availability, or integrity of data on endpoints.
    • Example: Ransomware-type behaviors or attempts to access user credentials.
  • Emerging Threats: Behaviors associated with non-malware attacks.
    • Example: Abuse of native command line utilities such as PowerShell, and/or the exploitation of related activities such as buffer overflows.
  • Malware & Application Abuse: TTPs that are related to files with a generally known "bad" reputation, or applications seen executing files with known bad reputations.
    Note: This category also represents the monitoring of the execution of system applications. However, these TTPs are given a lower priority rating because of the high likelihood of being non-malicious actions.
  • Network Threat: Contains all TTPs that involve a process that is either communicating over the network or listening for incoming connections.