I'm using Endpoint Defend integration on a few agents. I want to know if an alert created was due to detection or prevention so I can trigger actions based on the status. Is there a way to identify the same?
Also, can someone provide me some ways to trigger a few prevention and detection style alerts for elastic defend for testing. I was able to get prevention alerts by running an application but am unable to get any detection alerts.
The easiest way to determine prevention from detection alerts is to look for the word "Detection" or "Prevention" in the top level message field. Will that work for you?
You can trigger benign alerts by making sure Malware protection is enabled then saving the EICAR file to the computer. (You can download EICAR from this page https://www.eicar.org/download-anti-malware-testfile/). EICAR is a standard antivirus testing file. I recommend downloading EICAR.TXT from that website.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
