When the app correlates an alert with additional endpoint
data, the Alerts table displays a green dot to the left of the alert
row to indicate the alert is eligible for analysis in the Causality
View. If the alert has a gray dot, the alert is not eligible for
analysis in the Causality View. This can occur when there is no
data collected for an event, or the app has not yet finished processing
the EDR data. To view the reason analysis is not available, hover
over the gray dot.
Review the Timeline View of review
the sequence of events over time.
The timeline is available for alerts that have been stitched
with endpoint data.
If deemed malicious, consider responding by isolating
the endpoint from the network.
Remediate the endpoint and return the endpoint from isolation.
Inspect the information again
to identify any behavioral details that you can use to Create a BIOC Rule.
If you can create a BIOC rule, test and tune the logic
for the rule, and then save it.