Understanding the Alert Detail page

Page features

Feature	Definition
Open device in RMM	For tenants with the RMM + EDR integration configured, opens the endpoint's device detail page in RMM; learn more in our Understanding the Datto EDR + Datto RMM integration article
Web Remote	For tenants with the RMM + EDR integration configured, opens a remote connection to the endpoint via RMM Web Remote; this option is only available to endpoints that have the Web Remote option available in Datto RMM; for details, refer to Web Remote in the Datto RMM Help system
Respond	Opens the response extension modal, enabling you to select and deploy collection and response extensions to the impacted endpoint; for more details, refer to Leveraging collection and response extensions
Acknowledge	Acknowledges this alert and clears it from the default view on the Alerts page
Unacknowledge	Restores the alert to an unactioned state and returns it to the view on the Alerts page
Create Suppression Rule	Click to create a new suppression rule; for more details, refer to Suppressing alerts
Export	Exports the details of the current alert to a Comma-Separated Values (CSV) file

Alert

Field name	Definition
ID	The unique ID assigned to the alert by Datto EDR
Name	The identity of the file or reference to the file that recently executed some time in the past; click to view its details, assign flags, download it, or queue it for heuristic threat analysis; for more information, refer to Leveraging the File Detail page
Type	Details the measure by which the platform determined it should surface an alert for this record; possible values are: Rule: Behavioral analysis rules engine detected that the object performed an action that could potentially be a threat Correlation: Correlation occurred between multiple low-severity or non-alert behaviors that, when combined, may identify activity representing a potential threat; refer to Understanding the Alert Detail page to learn more Extension: Alerts from custom extensions built to look for specific threats flagged the object as suspicious Reputation: Malware reputation's threat intelligence analysis considers the object to be possibly malicious AV: Alerts from Windows Defender indicate the object may be a threat Ransomware: Datto EDR's ransomware detection engine observed patterns of behavior on the endpoint that could indicate a ransomware threat Datto AV: If you are subscribed to this service, indicates that the object matched a definition in the Datto AV engine NOTE If your subscription does not include Datto EDR service, you will only see the Datto AV alert type.
Severity	Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe
Created	The date and time that Datto EDR generated the alert
Unacknowledged	If the alert was unacknowledged, the date and time the action occurred
Responses	Indicates the number of responses to the alert; for more information, refer to Leveraging collection and response extensions
Host Name	Assigned hostname of the endpoint
Operating System	Operating system installed on the endpoint

File

Field name	Definition
Name	The identity of the file or reference to the file that recently executed some time in the past
Path	Path to the impacted file
Type	The classification of the object matching the threat condition
Size	The size of the object matching the threat condition
SHA1	The SHA1 hash associated with the object matching the threat condition
Unacknowledged	If the alert was unacknowledged, the date and time the action occurred
Threat	EDR's assessment of the risk level of the object; when associated with a host, indicates whether or not the endpoint appears to have been compromised
Flag	User-defined workflow or status category to which the logged item belongs; to create and personalize flags, visit > Admin > File Flags
Status	The file-based reputation of the object; for more information, refer to Understanding context

Process Tree

If applicable, this pane illustrates the processes and command line arguments involved in the execution of the suspicious object.

Rule

If the alert was triggered by a rule, this pane provides details about the rule and the conditions met that caused the alert.

Field name	Definition
Name	The name of the matched rule
Action	Indicates what action (surfacing an alert or attempting containment of the threat) the rule took
Severity	Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe
Description	The description of the rule's purpose and functions

Rule Body

If the alert was triggered by a rule, you can view extended details about the rule's body here.

Feature	Definition
	Toggle the page layout between rows and columns

Matched Object/Instance

This pane provides granular information about the item that caused the alert.

Recommendation

Recommended steps for identification, containment, and eradication of the threat appear here.

Timeline

Frequently, alerts come from a single host. If that scenario is the case, we include recent surrounding alerts from the same host for context. Click any alert to pivot to its detail page.

NOTE This pane will not be visible when viewing the details of a correlated alert.

Feature	Definition
View More Alerts	Pivots to the Alerts page and enumerates all alerts generated for this endpoint

Field name	Definition
Alert	Indicates whether the entry is one of the following types of record: Alert: Indicates that the analysis engine either observed an action taking place or received reputation information about an object on an endpoint that it considers to be a threat, such as a malicious script executing Non-alert: Indicates that the engine observed a notable event or an adversary behavior on the host that does not rise to the level of an alert, such as an unsigned process starting
Name	Filename for most file-based objects, the hash of the memory content for memory injections, and the username for accounts
Source	Details the measure by which the platform determined it should surface an alert for this record; possible values are: Rule: Behavioral analysis rules engine detected that the object performed an action that could potentially be a threat Correlation: Correlation occurred between multiple low-severity or non-alert behaviors that, when combined, may identify activity representing a potential threat; refer to Understanding the Alert Detail page to learn more Extension: Alerts from custom extensions built to look for specific threats flagged the object as suspicious Reputation: Malware reputation's threat intelligence analysis considers the object to be possibly malicious AV: Alerts from Windows Defender indicate the object may be a threat Ransomware: Datto EDR's ransomware detection engine observed patterns of behavior on the endpoint that could indicate a ransomware threat Datto AV: If you are subscribed to this service, indicates that the object matched a definition in the Datto AV engine NOTE If your subscription does not include Datto EDR service, you will only see the Datto AV alert type.
Severity	Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe
Host	Assigned hostname of the endpoint
Context	The file-based reputation of the object; for more information, refer to Understanding context
Event Time	Date and time that the event occurred on the endpoint
Created On	Date and time of the alert's creation

Notes

This free-text field enables you to create notes about this alert and view notes posted by other administrators or analysts.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.

Understanding the Alert Detail page

Overview