Understanding incidents, events, and entities

Incidents
An
incident
is a collection of one or more events that represent a significant risk or potential threat to the organization. Incidents may include the events that
Symantec Endpoint Security
has blocked, because even blocked events contribute to a more complete picture of the larger attack.
However, not all malicious events are escalated to incidents. For example, assume a user visits a spoofed website with a bad reputation. If there is no indication that the user's endpoint became infected or downloaded anything malicious, the event is not likely raised to an incident.
Symantec EDR
does not deem it important enough to bring to an incident responder's attention. However, the event is still recorded.
For more information, see:
Events
An
event
is generated when
Symantec Endpoint Security
detects that activity occurred on an endpoint. For instance, events are generated when a malicious file is downloaded, or a benign executable file is created. Not all events are malicious, such as a reputation request of a healthy file. See:
Entities
An entity is a component that's involved in an event. EDR monitors events on the following entities:
  • Domain
    : A domain, URL, or IP address that's not part of your internal network.
  • Endpoint
    : Computers, servers, or mobile devices in your network.
  • File
    : Any file that resides on an endpoint.
  • Adversary
    : The entity that is involved in or suspected in a targeted attack.
For more information, see: