Understanding the Alert Detail page

Page features

Feature	Definition
Open device in RMM	For tenants with the RMM + EDR integration configured, opens the endpoint's device detail page in RMM; learn more in our Understanding the Datto EDR + Datto RMM integration article
Web Remote	For tenants with the RMM + EDR integration configured, opens a remote connection to the endpoint via RMM Web Remote; this option is only available to endpoints that have the Web Remote option available in Datto RMM; for details, refer to Web Remote in the Datto RMM Help system
Acknowledge	Acknowledges this alert and clears it from the default view on the Alerts page
Unacknowledge	Restores the alert to an unactioned state and returns it to the view on the Alerts page
Respond	Opens the response extension modal, enabling you to select and deploy collection and response extensions to the impacted endpoint; for more details, refer to Leveraging collection and response extensions
Create Suppression Rule	Click to create a new suppression rule; for more details, refer to Suppressing alerts
Create Custom Response	Click to create a custom automated response for the rule and policy.
Export	Exports the details of the current alert to a Comma-Separated Values (CSV) file

Response

Response icons indicate the responses that were taken.

K = Kill Process
I = Isolate host
Q = Quarantine file
O = for other

If a response is actioned, either automatically or manually, its icon is highlighted green. Grey means the response was not used.

Threat Information

Field name	Definition
Severity	Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe
Source	Details the measure by which the platform determined it should surface an alert for this record; possible values are: Rule: Behavioral analysis rules engine detected that the object performed an action that could potentially be a threat Correlation: Correlation occurred between multiple low-severity or non-alert behaviors that, when combined, may identify activity representing a potential threat; refer to About correlated alerts to learn more Extension: Alerts from custom extensions built to look for specific threats flagged the object as suspicious Reputation: Malware reputation's threat intelligence analysis considers the object to be possibly malicious AV: Alerts from Windows Defender indicate the object may be a threat Ransomware: Datto EDR's ransomware detection engine observed patterns of behavior on the endpoint that could indicate a ransomware threat Datto AV: If you are subscribed to this service, indicates that the object matched a definition in the Datto AV engine NOTE If your subscription does not include Datto EDR service, you will only see the Datto AV alert type.
Threat Type	Further categorizes the source
Threat Name	Name of the threat detection rule that triggered the alert
Detection Time	Date and time Datto EDR generated the alert

Host Information

Field name	Definition
Host Name	Assigned hostname of the endpoint
IP Address	Endpoint's IP address
Device Group	Name of the device group to which the endpoint belongs, if any
Operating System	Operating system installed on the endpoint
Organization	Name of the organization
Location	Location of the endpoint
AV Policy	Name of the AV policy
EDR Policy	Name of the EDR policy
Ransomware Policy	Name of the Ransomware policy
Automated Response	Name of the Automated Response policy

Threat Details

Field name	Definition
Process Name	The identity of the file or reference to the file that recently executed some time in the past
Process Path	Path to the impacted file
Command Line	The full command (program path plus arguments) that was executed on the device. This helps you see what the process actually tried to run.
Process Owner	Name of the process owner
File Reputation	Shows whether the file (identified by its SHA1) is considered malicious or suspicious based on aggregated intelligence
Description	Name of the MITRE ATT&CK that applies to the threat

Process Tree

If applicable, this pane illustrates the processes and command line arguments involved in the execution of the suspicious object.

Metadata

Provides granular information about the item that caused the alert.

Rule Body

If the alert was triggered by a rule, this tab provides the rule's details.

Recommendation

Recommended steps for identification, containment, and eradication of the threat appear here.

Timeline

Frequently, alerts come from a single host. If that scenario is the case, we include recent surrounding alerts from the same host for context. Click any alert to pivot to its detail page.

NOTE This pane is not visible when viewing the details of a correlated alert.

Field name	Definition
Process Name	Filename for most file-based objects, the hash of the memory content for memory injections, and the username for accounts
Source	Name of the threat detection rule that triggered the alert
Severity	Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe
Host	Assigned hostname of the endpoint
Context	The file-based reputation of the object; for more information, refer to Understanding context
Event Time	Date and time that the event occurred on the endpoint
Created On	Date and time the alert was created

Comments

This free-text field enables you to create notes about this alert and view notes posted by other administrators or analysts.

Smart Investigate

Smart Investigate offers an AI interface with preloaded, one-click questions. It automatically curates relevant queries and includes alert-specific metadata to provide clear feedback to users. The feature is provided for the Rule Source alert type only. Select a question in the left pane to display the answer in the right pane.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.

Understanding the Alert Detail page

Overview