Working with the Alerts page

NAVIGATION  Alerts

SECURITY   Datto EDR subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access

IMPORTANT  Specific retention periods apply to all record types in Datto EDR and Datto AV. For more information, refer to Datto EDR and Datto AV data retention policies.

The Alerts page contains a journal of suspected threats and notable adversary behaviors detected by the Datto EDR or Datto AV analysis engine on your endpoints in the last 30 days. From this location, you can audit, acknowledge, and respond to activity that may pose a concern to your environment.

This article describes the page's layout and functions.

For more information about working with alerts, refer to Configuring email alerts, Suppressing alerts, Understanding the Alert Detail page, and Responding to alerts.

Overview

To access the Alerts page, perform the following steps:

  1. In the top navigation menu, click Alerts.

  2. The page will load. You'll see a list of the threats that Datto EDR or Datto AV has detected during audits of your endpoints, with the most recent suspected malicious content displayed first.

  1. As you navigate, you'll see the following features and fields:

Feature Definition

Alert count

Number to the right of the Alerts tab in the navigation menu; indicates total unacknowledged alerts
Search

Enter a partial or whole value to filter current view to matching records

NOTE   You can use partial names and wildcards to search for text.
Filter

Includes or excludes results in the report based on host name, acknowledgment status, alert type, source, severity, flag, threat type, or date; numeric value appearing next to this button indicates number of filters currently applied

Exports the current report to a Comma-Separated Values (CSV) file; to export only certain records, check the corresponding boxes to the left of the records' entries

Acknowledges and clears alerts from the current view and the unacknowledged count unless you have chosen to include them; to acknowledge specific alerts only, check the boxes next to the applicable records and then click this button; to acknowledge all alerts in the current filter, make no selections

Returns previously acknowledged alerts to an unacknowledged status and to the unacknowledged count; to unacknowledge specific alerts only, check the boxes next to the applicable records and then click this button; to unacknowledge all alerts in the current filter, make no selections
Column header Definition

Alert

Indicates whether the entry is one of the following types of record:

  • Alert: Indicates that the analysis engine either observed an action taking place or received reputation information about an object on an endpoint that it considers to be a threat, such as a malicious script executing

  • Non-alert: Indicates that the engine observed a notable event or an adversary behavior on the host that does not rise to the level of an alert, such as an unsigned process starting

NOTE  Click any entry in the list to view granular information about it. To learn more, refer to Understanding the Alert Detail page.

Name

The identity of the file or reference to the file that recently executed some time in the past

Source

Details the measure by which the platform determined it should surface an alert for this record; possible values are:

  • Rule: Behavioral analysis rules engine detected that the object performed an action that could potentially be a threat

  • Correlation: Correlation occurred between multiple low-severity or non-alert behaviors that, when combined, may identify activity representing a potential threat; refer to About correlated alerts to learn more

  • Extension: Alerts from custom extensions built to look for specific threats flagged the object as suspicious

  • Reputation: Malware reputation's threat intelligence analysis considers the object to be possibly malicious

  • AV: Alerts from Windows Defender indicate the object may be a threat

  • Ransomware: Datto EDR's ransomware detection engine observed patterns of behavior on the endpoint that could indicate a ransomware threat

  • Datto AV: If you are subscribed to this service, indicates that the object matched a definition in the Datto AV engine

NOTE  If your subscription does not include Datto EDR service, you will only see the Datto AV alert type.

Severity

 Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe

Host

Assigned hostname of the endpoint

Context

The file-based reputation of the object; for more information, refer to the Understanding context section of this article

Responses

Indicates the number of responses to the alert; for more information, refer to the Actions menu section of this article

Timestamp

 The time and date at which the analysis engine observed the object

Actions menu; enables you to respond to the alert, mark it as acknowledged or unacknowledged, and filter the page by the corresponding host; refer to Responding to alerts to learn more

File context is an important data point to help you weigh whether or not an object is a threat. It is the file-based analysis of the object in question that complements the other behavioral analysis information available to you. You should always take both context and behavior into consideration when evaluating a threat.

  • For example, your behavioral analysis may not have seen the object engaging in any suspicious behavior, but the context analysis indicates that over 20 antivirus engines have flagged it as malicious.

  • Conversely, the context might indicate that a certain object hasn't been flagged by any antivirus engines as suspicious, but your behavioral analysis indicates that it is actually a malicious script that's deleting critical system files.

The Context details will show you one or more icons representing information that the analysis engine found about the object and any actions that it took to further the analysis. When they appear, you can move your mouse over them for additional details.

The following table provides expanded definitions of these icons:

Icon Legend Definition

Unable to analyze file

 The engine was unable to perform analysis on the object for an unknown reason.

Included in a package manager

Objects included in a package manager tend to be less likely to be malicious than unmanaged objects.

Number of antivirus engines that have flagged the file

The more antivirus engines that have flagged the file as malicious, the higher the likelihood is that it may be malicious.

Submitted for static analysis

 If there is insufficient reputation information about the object, but early indications are that it may be malicious, the threat analysis engine will submit the object and its hash to the Datto cloud for AI-driven machine learning and review.

Signed

Most malware is unsigned. A digitally signed object is inherently less likely to be malicious than one that is unsigned.

Linux only

If the object is only available for Linux, the malware risk is lower, since most software for this platform comes from repositories.

No threat intelligence results

The engine did not find any threat intelligence information about this object. Proceed with caution.

Not submitted for static analysis

The object has not been submitted for static analysis either because there is adequate existing threat intelligence information about it or because there are not enough current indicators that the object is malicious to do so.

Not signed

The object does not have a digital signature. Proceed with caution.
Icon Legend Definition

Signed

Most malware is unsigned. A digitally signed object is inherently less likely to be malicious than one that is unsigned.

Number of antivirus engines that have flagged the file

The more antivirus engines that have flagged the file as malicious, the higher the likelihood is that it may be malicious.

Submitted for static analysis

 If there is insufficient reputation information about the object, but early indications are that it may be malicious, the threat analysis engine will submit the object and its hash to the Datto cloud for AI-driven machine learning and review.

Has comments

Analyst comments about this object exist in the reputation database.

Threat status

The analysis engine was able to make an assessment of the object's risk level. Possible values are: Good, Low Risk, Unknown, Suspicious, Bad, Whitelist, and Blacklist.

Flag

User-defined workflow or status category to which the logged item belongs; to create and personalize flags, visit > Admin > File Flags

Not signed

The object does not have a digital signature. Proceed with caution.

No threat intelligence results

The engine did not find any threat intelligence information about this object. Proceed with caution.

Not submitted for static analysis

The object has not been submitted for static analysis either because there is adequate existing threat intelligence information about it or because there are not enough current indicators that the object is malicious to do so.

No comments

No comments exist for this object in the reputation database.

Threat status: Unknown

The analysis engine was not able to assess the threat level of the object. Proceed with caution.

No flag

There are no application or user-defined flags assigned to the artifact.

What is a correlated alert?

A correlated alert indicates that the platform detected multiple low-severity or non-alert behaviors that, when combined, may identify activity representing a potential threat.

How do I read the rule body?

The rule body for a correlated alert is laid out in the same way as a traditional behavior rule, with specific for grouping, distinction, count, and more.

Viewing and responding to correlated events

If our threat analysis suspects that a correlation exists, the application will include a Correlated Alerts section in the alert details. This report details the events that led to the correlated condition. You can click each event to review deeper information about its suspected behaviors and our recommended responses. Analyzing this data can help you determine if common commands or processes are involved and the remediation actions you should take.

Any new alerts that you suppress will not appear in the default view. They will not go out to your third party integrators, such as your webhooks, external syslog collectors, or integrate with your BMS or Autotask ticketing systems. To view them, select the Severity > Suppressed filter.

For information about why an alert was suppressed, or if you don't want a certain type of alert to be suppressed, perform the following steps:

  1. Click the alert's name. Then, click the name shown in the Suppression Rule field.

  2. You'll see the rule details, where you can review the match criteria used to suppress the alert.

  3. To change how the rule behaves, click View Suppression Rule Info.

  4. You'll be redirected to the Edit Suppression Rule page. Follow the steps described in Managing and publishing suppression rules to make your desired changes and release them to your tenant instance.

Good to know

This page delivers the additional functions listed below.

  • Click any header to sort the displayed records by the column's value.

  • Click any object name to open its alert detail page.