Working with the Alerts page
NAVIGATION Alerts
SECURITY Datto EDR subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access
IMPORTANT Specific retention periods apply to all record types in Datto EDR and Datto AV. For more information, refer to Datto EDR and Datto AV data retention policies.
The Alerts page contains a journal of suspected threats and notable adversary behaviors detected by the Datto EDR or Datto AV analysis engine on your endpoints in the last 30 days. From this location, you can audit, acknowledge, and respond to activity that may pose a concern to your environment.
This article describes the page's layout and functions.
For more information about working with alerts, refer to Configuring email alerts, Suppressing alerts, Understanding the Alert Detail page, and Responding to alerts.
Overview
To access the Alerts page, perform the following steps:
-
In the top navigation menu, click Alerts.
-
The page will load. You'll see a list of the threats that Datto EDR or Datto AV has detected during audits of your endpoints, with the most recent suspected malicious content displayed first.
-
As you navigate, you'll see the following features and fields:
Feature | Definition |
Alert count
|
Number to the right of the Alerts tab in the navigation menu; indicates total unacknowledged alerts |
Search |
Enter a partial or whole value to filter current view to matching records NOTE You can use partial names and wildcards to search for text. |
Filter |
Includes or excludes results in the report based on host name, acknowledgment status, alert type, source, severity, flag, threat type, or date; numeric value appearing next to this button indicates number of filters currently applied |
Exports the current report to a Comma-Separated Values (CSV) file; to export only certain records, check the corresponding boxes to the left of the records' entries |
|
Acknowledges and clears alerts from the current view and the unacknowledged count unless you have chosen to include them; to acknowledge specific alerts only, check the boxes next to the applicable records and then click this button; to acknowledge all alerts in the current filter, make no selections |
|
Returns previously acknowledged alerts to an unacknowledged status and to the unacknowledged count; to unacknowledge specific alerts only, check the boxes next to the applicable records and then click this button; to unacknowledge all alerts in the current filter, make no selections |
Column header | Definition |
Alert |
Indicates whether the entry is one of the following types of record:
NOTE Click any entry in the list to view granular information about it. To learn more, refer to Understanding the Alert Detail page. |
Name |
The identity of the file or reference to the file that recently executed some time in the past |
Source |
Details the measure by which the platform determined it should surface an alert for this record; possible values are:
NOTE If your subscription does not include Datto EDR service, you will only see the Datto AV alert type. |
Severity |
Indicates the perceived level of the threat; possible values are None, Low, Medium, High, and Severe |
Host |
Assigned hostname of the endpoint |
Context |
The file-based reputation of the object; for more information, refer to the Understanding context section of this article |
Responses |
Indicates the number of responses to the alert; for more information, refer to the Actions menu section of this article |
Timestamp |
The time and date at which the analysis engine observed the object |
Actions menu; enables you to respond to the alert, mark it as acknowledged or unacknowledged, and filter the page by the corresponding host; refer to Responding to alerts to learn more |
File context is an important data point to help you weigh whether or not an object is a threat. It is the file-based analysis of the object in question that complements the other behavioral analysis information available to you. You should always take both context and behavior into consideration when evaluating a threat.
-
For example, your behavioral analysis may not have seen the object engaging in any suspicious behavior, but the context analysis indicates that over 20 antivirus engines have flagged it as malicious.
-
Conversely, the context might indicate that a certain object hasn't been flagged by any antivirus engines as suspicious, but your behavioral analysis indicates that it is actually a malicious script that's deleting critical system files.
The Context details will show you one or more icons representing information that the analysis engine found about the object and any actions that it took to further the analysis. When they appear, you can move your mouse over them for additional details.
The following table provides expanded definitions of these icons:
Icon | Legend | Definition |
Unable to analyze file |
The engine was unable to perform analysis on the object for an unknown reason. | |
Included in a package manager |
Objects included in a package manager tend to be less likely to be malicious than unmanaged objects. |
|
Number of antivirus engines that have flagged the file |
The more antivirus engines that have flagged the file as malicious, the higher the likelihood is that it may be malicious. |
|
Submitted for static analysis |
If there is insufficient reputation information about the object, but early indications are that it may be malicious, the threat analysis engine will submit the object and its hash to the Datto cloud for AI-driven machine learning and review. | |
Signed |
Most malware is unsigned. A digitally signed object is inherently less likely to be malicious than one that is unsigned. |
|
Linux only |
If the object is only available for Linux, the malware risk is lower, since most software for this platform comes from repositories. |
|
No threat intelligence results |
The engine did not find any threat intelligence information about this object. Proceed with caution. | |
Not submitted for static analysis |
The object has not been submitted for static analysis either because there is adequate existing threat intelligence information about it or because there are not enough current indicators that the object is malicious to do so. |
|
Not signed |
The object does not have a digital signature. Proceed with caution. |
What is a correlated alert?
A correlated alert indicates that the platform detected multiple low-severity or non-alert behaviors that, when combined, may identify activity representing a potential threat.
How do I read the rule body?
The rule body for a correlated alert is laid out in the same way as a traditional behavior rule, with specific for grouping, distinction, count, and more.
Viewing and responding to correlated events
If our threat analysis suspects that a correlation exists, the application will include a Correlated Alerts section in the alert details. This report details the events that led to the correlated condition. You can click each event to review deeper information about its suspected behaviors and our recommended responses. Analyzing this data can help you determine if common commands or processes are involved and the remediation actions you should take.
Any new alerts that you suppress will not appear in the default view. They will not go out to your third party integrators, such as your webhooks, external syslog collectors, or integrate with your BMS or Autotask ticketing systems. To view them, select the Severity > Suppressed filter.
For information about why an alert was suppressed, or if you don't want a certain type of alert to be suppressed, perform the following steps:
-
Click the alert's name. Then, click the name shown in the Suppression Rule field.
-
You'll see the rule details, where you can review the match criteria used to suppress the alert.
-
To change how the rule behaves, click View Suppression Rule Info.
-
You'll be redirected to the Edit Suppression Rule page. Follow the steps described in Managing and publishing suppression rules to make your desired changes and release them to your tenant instance.
Good to know
This page delivers the additional functions listed below.
-
Click any header to sort the displayed records by the column's value.
-
Click any object name to open its alert detail page.