The incidents that
Symantec EDR
creates

Symantec EDR
incidents and triggers
lists the incident that
Symantec Endpoint Detection and Response
detects and the events that trigger those incidents.
Symantec EDR
incidents and triggers
Incident description
Trigger
Priority
Recommendation
Advanced Attack Technique (AAT)
Incident is created because
Symantec EDR
got an AAT from SONAR's BPE (Behavioral Policy Enforcement) or the Static Data Scanner (SDS) detections, which includes suspicious PowerShell detections.
High
AAT incidents have recommended actions based on the specific techniques detected.
{taa_incident_description}
Targeted Attack Analytics (TAA) incident descriptions are provided by the Targeted Attack Analytics service. 
Incident is created because
Symantec EDR
got an incident from TAA. 
High
TAA incidents have recommended actions based on the specific techniques detected.
Targeted email attack detected
Incident is created because email detection technology says that email is part of a targeted attack
High
Investigate the other email detections that are associated with the sender, recipients, attached files, and websites. You might also want to consider denying access to associated sites and files.
{threat.name} detected
Incident is created because
Symantec EDR
got one unblocked AVE email detected
Medium
Investigate the file and other email detections associated with the sender, recipients, attached files, and websites. You might also want to consider denying access to associated sites and remediating associated files.
{threat.name} detected
Incident created because
Symantec EDR
got one critical AVE or LCP detection that was not blocked
Medium
You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).
Sandbox detection: {file.name}
Incident is created because
Symantec EDR
got one Cynic detection
High
You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).
Command and Control domain {deepsight_domain} detected
Command and Control Domain {deepsight_domain} Detected
High
Consider denying access to the site. In addition, you may need to investigate the source of exposure to see if further action is required.
Malicious domain {deepsight_domain} detected
Malicious Domain {deepsight_domain} Detected
Low
Consider denying access to the site. In addition, you may need to investigate the source of the exposure to see if further action is required.
Targeted attack detected from Adversary {actor}
Multiple IoCs from one actor detected
High
View the analysis below. Begin your incident response plan, such as determining the scope of the attack, containing the breach, eradicating infection, recovering the environment, and learning lessons to improve organizational security.
Targeted attack detected using malware family {malware}
Multiple IoCs from one sha256 indicator detected
High
View the analysis below. Begin your incident response plan, such as determining the scope of the attack, containing the breach, eradicating infection, recovering the environment, and learning lessons to improve organizational security.
Targeted attack detected using malware family {malware}
Multiple IoCs from the same signature and URL detected
High
View the analysis below. Begin your incident response plan, such as determining the scope of the attack, containing the breach, eradicating infection, recovering the environment, and learning lessons to improve organizational security.
Multiple malicious behaviors have been detected from {data_source_url_domain}
A large number of conviction events found on a source host within last one hour
Low
If this site is not business critical, consider adding it to the deny list. Otherwise, consider creating a sinkhole server in your DNS to block the site.
Daily unresolved SEP detection(s)
Incident created because it's believed SEP identified a threat and it was not blocked
Medium
Review the SEP settings, isolate the endpoint(s), remove the file(s), and/or clean the system(s).
Multiple attacks have been detected targeting {device_name}
A large number of conviction events found on an target machine within last one hour
Low
Remove any software that attempts the malicious activity. Also, consider contacting the computer's user about browsing activity that can result in malicious downloads.
{signature_name} detected
Incident is created because
Symantec EDR
got one critical NDC detection
High
Ensure any related vulnerable software is patched. You can deny access to the site(s) or remove the file(s).
Targeted attack detected
Incident is created because Cynic metadata says that file is part of a targeted attack
High
You can isolate the endpoint(s), remove the file(s) and/or clean the system(s).
Memory Exploit {signature_name} detected
Memory Exploit Attack detected
High
Symantec Endpoint Protection blocked the memory attack. However, the endpoints may still be infected. Investigate the infected endpoints. Retrieve all related recorded process or endpoint events for further investigation. Isolate the endpoints and/or clean the detection.
Suspicious PowerShell detected: anti-analysis technique used
Suspicious PowerShell detected: anti-analysis technique used
Medium
Attackers might be attempting to detect if the process is running within a virtual environment to avoid detection by a sandbox-based malware detection engine. Investigate the process that invoked PowerShell. Isolate and remediate affected endpoints. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: suspicious obfuscated command executed
Suspicious PowerShell detected: suspicious obfuscated command execute
Medium
Attackers encode PowerShell to obfuscate and to simplify execution of complex, multi-line commands. Investigate the intent of the decoded command and the process that invoked PowerShell. A possible approach to decoding the contents is to modify the original PowerShell command line to write the contents of decoded command instead of invoking it. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: .dll downloaded from a remote location and executed
"Suspicious PowerShell detected: .dll downloaded from a remote location and executed
High
Investigate the process that invoked PowerShell and the contents of the .dll file that is using a decompiler. Isolate and remediate affected endpoints and delete/clean infected files. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: content downloaded from a remote location and executed
Suspicious PowerShell detected: content downloaded from a remote location and execute
High
Investigate the downloaded content and download sites. Isolate and remediate affected endpoints and delete/clean infected files if they have not been blocked already by Symantec Endpoint Protection. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: execution of file-less, registry based script
Suspicious PowerShell detected: execution of PS script stored in registry
Medium
Attackers hide PowerShell scripts in the registry to achieve persistence and evade detection. Investigate the content of the PowerShell script stored in the registry. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: extracted user cookies to a file
Suspicious PowerShell detected: extract and store cookies
Medium
Investigate the process that invoked PowerShell command and remediate, as needed. Notify the user to change account credentials across websites. Isolate and remediate affected endpoints and delete/clean infected files. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: In-memory malware executed
Suspicious PowerShell detected: In-memory malware executed
High
In-memory execution is used by attackers to perform malicious activities without writing the malware file to disk. Investigate the shell code that is specified in the PowerShell command and the invoking process to assess the next steps for remediation. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: suspicious encoded command invoked
Suspicious PowerShell detected: suspicious encoded command invoke
Medium
Attackers encode PowerShell to obfuscate and to simplify execution of complex, multi-line commands. Investigate the intent of the decoded command and the process that invoked PowerShell. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Suspicious PowerShell detected: obfuscated PowerShell command line run
Suspicious PowerShell detected: obfuscated PowerShell command line run
High
Investigate the source of the obfuscated command. Isolate and remediate any affected endpoints and delete/clean any infected files if they have not been blocked already by Symantec Endpoint Protection. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.
Malicious PowerShell detected: credential theft
"Malicious PowerShell detected: credential theft
High
Mimikatz is a tool that is used to extract system and domain credentials for hacking and penetration testing. If you suspect a breach, investigate the attacker entry points and the scope of the attack. Isolate and remediate affected endpoints. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data. Consider changing the user's password.
Suspicious PowerShell detected: Powersploit
Suspicious PowerShell detected: Powersploit
High
Powersploit is a set of PowerShell scripts that is used for hacking and penetration testing. If you suspect a breach, investigate the attacker entry points and the scope of the attack. Isolate and remediate affected endpoints. Investigate further activity at the endpoint by downloading a full dump of the endpoint's recorded data.