Elastic Defend integration: Is there a way to identify if an alert is caused due to prevention or detection?


I'm using Endpoint Defend integration on a few agents. I want to know if an alert created was due to detection or prevention so I can trigger actions based on the status. Is there a way to identify the same?

Also, can someone provide me some ways to trigger a few prevention and detection style alerts for elastic defend for testing. I was able to get prevention alerts by running an application but am unable to get any detection alerts.

Attached screenshots of Elastic Defend setttings.


Hi @Krishna_Teja

The easiest way to determine prevention from detection alerts is to look for the word "Detection" or "Prevention" in the top level message field. Will that work for you?

You can trigger benign alerts by making sure Malware protection is enabled then saving the EICAR file to the computer. (You can download EICAR from this page https://www.eicar.org/download-anti-malware-testfile/). EICAR is a standard antivirus testing file. I recommend downloading EICAR.TXT from that website.

I hope that helps.

Hello Ferullo

Thanks for sharing the details. This is really helpful. I'll check with the file.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.