Understanding Threat Events

​

About Threat Events

Endpoint Detection and Response (EDR) creates a threat event when it identifies malware or potentially unwanted programs (PUPs) on a device. This happens in either Detect Posture or Protect Posture, where the threat is also quarantined. Each threat event includes details such as the threat name, classification, process involved, detection date, and current status. You can find all Threat events on the Threats page for devices linked to Blueprints with EDR. Additionally, these events are viewable on individual device records.

​

How It Works

Threat events are automatically created when Iru Endpoint EDR identifies potential security risks on managed devices. The system organizes threat events in a threat-centric table view, grouping events by file hash for file detections and by detection rule for behavioral detections. This structure simplifies assessing a threat’s impact across your Mac fleet. Each grouped event includes a side panel that provides detailed insights into the threat, enabling security teams to quickly understand the scope and severity of detected threats.

​

Understanding Event Information

Each threat event in the threat-centric table view provides essential information to assist InfoSec teams in investigating threats.

• Threat ID: Displays the SHA-256 hash value of the detected threat
• Process: Shows the most recently detected process responsible for the threat
• Classification: Indicates the classification category of the threat event
• Detection Date: Records the date when EDR identified the threat
• Devices: Lists the total number of Mac devices affected by the threat event
• Threat Status: Provides a comprehensive view of all threat statuses—Not quarantined, Quarantined, Resolved, and Released—across all devices for the grouped threat event

​

Understanding Threat Severity Levels

Iru Endpoint EDR includes severity scoring to help InfoSec teams quickly assess the criticality of detected threats. Each threat event is assigned one of five severity levels: Critical, High, Medium, Low, and Informational. The threats table includes a Severity column that displays the corresponding severity level for each threat. You can sort and filter threat events based on severity for both file detections and behavioral detections. The Threats page also features a threats-by-severity pie chart that provides a visual breakdown of threats organized by their severity levels.

​

Understanding Threat Classifications

Iru Endpoint classifies threats into four categories for file detections—malware, potentially unwanted program (PUP), benign, and unknown—and two categories for behavioral detections: malicious and suspicious.

​

File Detection Classifications

• Malware: This term refers to malicious software designed to harm devices, individuals, or organizations
• Potentially Unwanted Program (PUP): These are applications that might be unwanted on a device. PUPs often use high system resources, affecting performance, displaying unwanted ads, and collecting personal information. Unlike malware, PUPs are not intended to cause harm and are usually installed inadvertently with other software, often found in bundled packages
• Benign: This classification is for files initially flagged as malicious but later determined to be non-malicious after further analysis. If you encounter benign threat events, it might be because the item was in your EDR Library Item block list at the time of detection or quarantine
• Unknown: This category is for files that Iru Endpoint EDR cannot definitively classify as either malicious or benign based on the available data. If you encounter benign threat events, it might be because the item was in your EDR Library Item block list at the time of detection or quarantine

​

Behavioral Detection Classifications

• Malicious: A classification that refers to a behavioral activity that intends to cause harm
• Suspicious: A classification that refers to behavioral activity that does not immediately indicate harm but warrants attention for further investigation

​

Understanding Threat Statuses

All threat events will have a status associated with them. The various statuses that a threat event may have are:

​

File Detection Statuses

• Quarantined: A detected threat that was automatically quarantined in Protect posture
• Not Quarantined: A detected threat that was not quarantined in Detect posture
• Released: A threat that was initially quarantined but later released and restored to its original location
• Resolved: A detected threat that is no longer at the last detected file path and was not quarantined by the agent

​

Behavioral Detection Statuses

• Detected: Malicious behavioral activity was identified but not blocked (Detect posture)
• Blocked: Malicious behavioral activity was identified and blocked (Protect posture)
• Informational: Suspicious behavioral activity was detected and flagged for visibility

​

Viewing File Detections

​

Viewing Behavioral Detections

​

Filtering Threat Events

You can filter threat events for both file and behavioral detections based on their status for easier visualization and remediation.

​

Side Panel

The threat-centric table view features a side panel for each grouped event, which can be opened by clicking on a threat event row to access detailed information about that specific threat. For file detections, the side panel includes:

• Latest file name associated with the threat
• A global view of all threat statuses—Not quarantined, Quarantined, Resolved, and Released—for the grouped threat event across all devices
• First and last detection dates across all devices.
• Insights on all unique file paths found related to the threat

For behavioral detections, the side panel includes:

• The latest process name associated with the grouped event
• A global view of all threat statuses—Detected, Blocked, and Blocked (killed parent)—across all devices.
• A description of the malicious or suspicious activity
• The malware family associated with the behavioral activity
• Informational tags providing additional context
• The first and last detection dates across all devices

​

Device cards

Device cards in the side panel represent devices where the malicious file was found. For file detections, these cards will display information such as:

• Device Name
• Serial Number
• Blueprint and Library Item.
• Malware and PUP Posture Mode
• Actionable Events
• Threat Event Details:
  • Threat Status - The current status of the threat on the device.
  • Path - The file path where the threat was detected.
  • User - The user associated with the process when the threat was detected.
  • Detection Date - The date when EDR identified the threat.
  • Quarantine Date - The date when EDR quarantined the threat.
  • Resolved Date - The date when the threat was marked as resolved in the web app.
  • Release Date - The date when the threat was released from quarantine on the device.
  • Application Bundle Path - The path to the application bundle.

For behavioral detections, these cards will display information such as:

• Device name
• Serial number
• Blueprint and Library Item
• Malicious behavioral detection posture mode information
• Threat event details:
  • Threat Status - The current status of the threat on the device.
  • Detection date - The date when EDR identified the threat.
  • Rule version - Current rule version
  • Parent and target process information:
    • Parent and target process name
    • Parent and target process ID
    • Process owner
    • Image paths for parent and target processes
    • Command line arguments for parent and target processes
    • SHA265 hash of the parent and target processes

​

Viewing a Device’s Threat Events in the Side Panel

​

For File Detections

​

For Behavioral Detections

​

Rechecking the Status of a Threat

When the Malware or PUP posture modes are set to Detect, you can manually check a threat’s status in the side panel to see if it’s still present at the file path. If the threat is no longer there, its status will update from ‘Not quarantined’ to ‘Resolved.’ If the threat is still present, its status will remain unchanged.

​

Releasing a Threat Event

There might be situations where InfoSec teams need to release a threat event for specific files or applications that were mistakenly quarantined, such as a security tool or application used by the organization. Releasing a threat event involves adding the item to the Allow list for the associated EDR Library Item.

​

Performing a VirusTotal Search

VirusTotal is a powerful tool that provides in-depth analysis and insights into files and URLs. The web app includes a convenient feature for searching hashes within VirusTotal, allowing you to access additional contextual information directly from a threat event entry without leaving the app.

​

Exporting Threat Events in CSV

In addition to using the Iru Endpoint API, InfoSec and IT teams can export the list of threat events directly from the admin console. The export icon in the threat-centric view applies the current filter settings and generates a CSV file with detailed information about each Threat event in separate columns. This feature is available in both the main Threats module view and the Threats tab under Device Record.

​

Considerations

• Threat Classification: Understand the difference between file detection classifications (malware, PUP, benign, unknown) and behavioral detection classifications (malicious, suspicious) for proper threat assessment
• Status Management: Regularly review and update threat statuses to maintain accurate security posture and ensure proper remediation tracking
• Severity Prioritization: Use severity levels (Critical, High, Medium, Low, Informational) to prioritize threat response efforts and allocate resources effectively
• Posture Configuration: Ensure EDR Library Items are properly configured with appropriate posture modes (Detect vs. Protect) based on your security requirements
• Threat Investigation: Utilize the side panel and device cards to gather comprehensive information about threats, including file paths, user context, and detection timelines
• False Positive Management: Be prepared to release legitimate applications that may be mistakenly quarantined, using the threat release process with proper documentation
• External Validation: Use VirusTotal integration to cross-reference threat intelligence and validate threat classifications
• Data Export: Leverage CSV export functionality for threat analysis, reporting, and integration with other security tools
• Bulk Operations: Consider using bulk actions for efficient threat management when dealing with widespread threats across multiple devices
• Regular Monitoring: Establish regular review processes for threat events to ensure timely response and proper classification of security incidents