Quick filters let you rapidly select and apply commonly used filters to search results. Database Events quick filter groups are the event types, such as Security Technology Detections, Malicious Activity, and File Activity.
The filters in this group display the events the chosen detection technology detects.
Lists the events that SONAR (Symantec Online Network for Advanced Response) detects. SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.
Lists the events that sandboxing-detection technology such as Cynic and Malware Analysis detects. Sandboxing refers to running potentially dangerous files and in a functionally isolated computing environment to analyze them for malicious behavior.
Lists the events that Insight detects. Insight is the Symantec reputation database with reputation intelligence on over 8 billion files. This service gathers information about Windows executable files.
Lists the events that Vantage detects. Vantage is the Symantec detection engine that finds threats in the network stream. Vantage detects malicious activity on an endpoint, or Vantage signature-based threats that are found in the network environment.
Lists the events that antivirus software detects.
Email - Not Blocked
Lists the malicious emails that are delivered to a user's Inbox.
Lists the events exhibiting malicious behavior.
The filters in this group display the blacklisted items from a user-generated or commercial blacklist.
Lists the items that your own blacklist ("user blacklist)" blocks.
Lists the events that are blocked based on DeepSight Enriched Events. DeepSight is a Symantec technology that uses a global warning threat detection system to aggregate threat information into a central database. "Enriched Events" refers to events for which DeepSight provides additional forensic information.
Lists the events that Dynamic Adversary Intelligence (DAI) detects. DAI is a Symantec feed that provides detailed information about the attackers that conduct targeted attacks.
The filters in this group display files that the selected machine-learning technology identifies.
Lists the items that the Criterion machine-learning engine detects. Criterion detects files in the gray region between known good and known bad. In this range, Criterion detects the files that are more likely to be malicious.
Lists the items that the Sapient machine-learning engine detects. Sapient ("Advanced Machine Learning") can detect malware based on static attributes. This technology enables Symantec Endpoint Protection to detect malware in the pre-execution phase thereby stopping large classes of malware, both known, and unknown.
Quick filters in this group display the files that are associated with the selected file activity.
Lists the signed and trusted files within the environment.
Lists the file creation events within the environment.
Lists the file deletion events within the environment.
Quick filters in this group display suspicious activity by the chosen activity type.
Lists the files that are unsigned or signed but not trusted.
Lists the SONAR-based information regarding changes or behaviors on the endpoints in your environment that you should monitor.
PE launched from CLI
Lists Portable Executable (PE) files that are launched from a command line interface.
Endpoint Recording Behaviors
Lists the instances where endpoint recording has taken place on one or more endpoints.
Lists the instances of process injection. Process injection is a collection of techniques that runs code within the address space of another process and are generally considered malicious. ATP detects three types of file injection:
Remote Shell code execution
Reflective DLL injection
Interception of Windows messages
Quick Filters in this group display files that typically should not be in the C: Windows directories.
Unsigned PE in system
Lists unsigned, or signed but untrusted Portable Executable (PE) files in Windows system folders.
PE in temp
Lists Portable Executable (PE) processes run from the Windows Temp folders.
Non-system files in system
Lists the non-system files in Windows system folders.
Quick filters in this group display persistent load point activity on computers in the environment.
Lists the persistent behavior at computer load points. For instance, fileless persistence techniques using JScript, or VBS in the Windows Registry.
Dual-use Tools Detections
Dual-use tools refer to tools that can be used legitimately but are often used maliciously. These include the following:
Lists the instances of PowerShell launched on one or more computers in the environment.
Suspicious Process Launch
Lists the instances of suspicious processes that are launched on one or more computers in the environment.
Filters in this group display the results from the technologies that detect malicious use of computer memory to exploit vulnerabilities.
Proactive Exploit Prevention
Lists the instances where Proactive Exploit Prevention prevents exploits from several malicious behaviors that are common trademarks of zero-day attacks. For instance:
Blocking any attempt to disable the Java Security Manager.
"Heap spray" prevention.
Protection against overwriting of the Structured Exception Handler.
Filters in this group display the events that are often associated with the attacks that leverage Microsoft Office applications.
Lists the instances of processes that are launched on one or more computers in the environment.
Lists the instances where a Portable Executable (PE) is created.
Lists the instances where a PE is injected into the address space of another process.
Subscribing will provide email updates when this Article is updated. Login is required.