Symantec Endpoint Detection and Response uses a rule engine to determine when it should create incidents based on the severity of related events. Incidents that consist of the events that Symantec knows are part of a targeted attack are prioritized higher than incidents without such events. Incidents with a high number of events are prioritized higher than incidents with fewer events. Incidents with events that occurred more recently are prioritized higher than older incidents.
Tip: A notification is sent when an incident is created. No new emails are sent for the same incident if or when Symantec EDR adds additional events to that incident. And additional events are only added if they occur within 7 days of the incident being created. If you are investigating an incident over several days, more events may occur. Symantec recommends that at the end of a day you close the incident if all of the events that are related to that incident have been investigated. That way, the next day you can see if there are new events to address. Note that closing an incident does not delete it. It still appears at the bottom of the Incident list, or you can filter the Incident list to only show closed incidents.
Symantec EDR creates incidents and assigns them priorities based on the following criteria:
The incident can result in a business outage, loss of data, or have a severe impact on the business. The incident needs to be responded to immediately.
The incident may have an impact on the business, and the use of the computer in question might need to be limited while the incident is being addressed.
The incident does not affect critical business operation, and the computer can continue to function and provide normal service.