Please find below a summary of endpoints encountering threats recently:
DRFD-LT-1521, DRFD, BNP, *Don't ever post your keycode in public - admin*
This is not giving me much info, so I decide to go to the console and pull up this machine.
So on the console, the machine (DRFD-LT-1521) says Thread Detected under status, and I click "view".
Once the new view window pops up there is nothing in there.
What does this mean?
Can the threat email I get have more information in it? Why is it so vague?
Is there a way to know what items the system has already dealt with or not? If the issue was resolved why is it still showing on the console a threat?
Thanks for your assistance on these questions.
Best answer by JimMView original
The default alert template does not include many fields that are now available for inclusion following a recent console update and may help to provide a better sense of understanding for the contents of the alert.
Of particular interest to you will probably be "Last Infected." This value will let you know how recent of a threat the email is in relation to.
Based on the description in this case, it sounds like the threat has already been dealt with. If you have your policy set up to automatically remove threats, that should already be the case any time you receive one of these emails. Alert emails are most handy for administrators who are not using automatic remediation in their policies. Is your policy is set up to automatically remove infections? If you have multiple policies in which some are set up for automatic remediation and some aren't, the "Policy Name" is something else you'll want to add in to your alert template.
Does this help? If my response doesn't fully answer your question, please reply and we'll see if we can get support to chime in to help out as well.
I will add some additonal fields to my emails and let you know if that solves the issue.