Leveraging the File Detail page
NAVIGATION Alerts > Alert Detail > click an object
SECURITY Datto EDR subscription with administrator or analyst-level platform access
IMPORTANT Specific retention periods apply to all record types in Datto EDR and Datto AV. For more information, refer to Datto EDR and Datto AV data retention policies.
The File Detail page enables you to view granular information about objects flagged as potential threats by Datto EDR. From this location, you can also manage the object's flags, download it, or queue it for heuristic threat analysis.
This article describes the page's layout and functions.
Overview
To access the File Detail page, perform the following steps:
-
In the top navigation menu, click Alerts.
-
Click any alert triggered by a file or script to view its details. The Alert Detail page will load.
-
From the Alert Detail page, click the value shown in the Name field of the File pane.
-
The File Detail page will load, with the Overview filter selected by default.
As you navigate, you'll see the following features and fields:
Feature | Definition |
Overview |
Returns the current view to the File Detail page |
Instances |
Pivots the current view to the Files section of the Search page with the object's hash pre-populated, enabling you to quickly review all endpoints where files with a matching attribute are present |
Connections |
Pivots the current view to the Connections section of the Search page with the object's hash pre-populated, enabling you to quickly review all network activity where files with a matching attribute were involved |
Download |
Enables you to download a copy of the object to your local machine IMPORTANT Using this feature downloads a potentially malicious, non-quarantined file to your computer. Proceed with caution. |
Field name | Definition |
Threat Level |
EDR's assessment of the risk level of the object; when associated with a host, indicates whether or not the endpoint appears to have been compromised |
Threat Name |
Name of the malware sample, including category, type, designation, and variant information, as defined by the antivirus community |
AV Hits |
Number of antivirus engines reporting the file is bad out of the total queried |
As Of | Date and time that Datto EDR fetched the results |
Field name | Definition |
Path |
EDR's assessment of the risk level of the object; when associated with a host, indicates whether or not the endpoint appears to have been compromised |
Size |
Size of the file |
First Seen |
Indicates the first date and time this object was seen by Datto EDR on the endpoint |
Last Seen |
Details the most recent time and date this object was seen by Datto EDR on the endpoint |
Field name | Definition |
MD5 |
Surfaces the object's hashes of the types indicated |
SHA1 | |
SHA256 |
|
SSDEEP |
If the object is digitally signed, this pane provides details about the signature.
Field name | Definition |
Subject |
Name of the subject issuing a request to the registration authority (RA) for the signature |
Issuer |
The certificate authority (CA) issuing the signature |
Clicking any of the links shown in this pane will automatically initiate a search for the object's hash details via the selected search method.
This free-text field enables you to create notes about the object and view notes posted by other administrators or analysts.