• Capture Client 3.7
• Overview
  • Description
  • Navigation
  • Guide Conventions
• Dashboard
  • About the Dashboard
  • Global Dashboard
  • Tenant Dashboard
• Alerts and Notifications
  • Accessing Notifications
  • Viewing Alerts
• Threat Investigation
  • Investigating Threats
  • Analyst Verdict
  • Downloading a Threat File
  • Detected Threats
  • Threats Mitigated
  • Performing a Rollback
  • Resolving Threats
  • Blacklisting Threats
  • Benign Threats
• Investigating and Responding to Active Clients
  • SentinelOne Pending Actions
• Investigating and Responding to Active Users
• Enforce Trusted Certificates
• Investigating and Responding to Risky Applications
• SonicWall Support
  • About This Document

Investigating Threats

You can navigate to the list of threats by clicking Threats. The Threats page shows all the threats detected in the reverse chronological order with the latest detection at the top of the first page.

You can view the status of the threat displayed in the tabular view. The colors of the icons (green, red and gray) represent different stages of the threat:

Icon	Meaning
	A mitigated or resolved threat.
	A threat is currently unresolved or suspicious.
	A threat has been detected and blocked.

Filter Options

Click and select the check the boxes for the Mitigation Status, Classification, Incident Status, AI Confidence Level, Analyst Verdict, Reboot Required, OS, Threats Detected By options to filter on.



• Use Mitigation Status to filter the threats based on the options Not Mitigated, Mitigated, and Marked as Benign.
• Use Classification to filter the threats based on the software.
• Use Incident Status to filter the threats based on the options Resolved, Unresolved, and In Progress.

• Use AI Confidence Level to filter the threats based on the options Malicious, Suspicious, and N/A.

  The users cannot change the AI Confidence Level that is generated by AI.

• Use the Analyst Verdict options to investigate more on the threats and reach a conclusion on them. For more details, see Analyst Verdict.

• To find threats that require a reboot to complete mitigation, use the Reboot Required filter options Yes or No.

  Certain mitigation actions (for example, the deletion of corrupted system files) may not be able to complete due to permission or OS deadlocks. In such situations, a reboot may be required to complete the action and this is indicated on the management console.

• Use the OS options to filter by the Operating System.
• Use the Threats Detected By options to filter the threats based on the options Full Disk Scan, Agent Policy, Local Agent Command, Deep Visibility Command, Management Console API, and On-Demand Scan.

Other Options

At the top of the page, you also have the following options to:

• Search: Click and enter the file details in the search string.
• Detailed view: Click to expand the options in the table. Click it again to return to the simple view.
• Time Filters: Move the orange cursor and select the required time anywhere from Last 5 Minutes to All. You can also click Custom and select the start date and end date.
• Export: Click to export the threat list in CSV format
• Taking appropriate actions for threats: Select the threats from the list and click to take appropriate actions. You can take any of the following:
  • Kill Threat
  • Unquarantine
  • Quarantine
  • Connect Network
  • Disconnect Network
  • Mark as Threat
  • Add to Blacklist
  • Add to Exclusions
  • Analyst Verdict
  • Mark as Unresolved
  • Mark as Resolved
  • Mark as In Progress
  • Mark as Benign

  These options are displayed depending upon the status of the threat.

  To take action for single threat items, you can also click pertaining to each threat to view the options.

Double-click on any of the File Details, Device, Classification, or Mitigation actions to view the detailed information on the Threat List page.

On the Threat List page, double click on the threat again to view the Threat Details page.

When you expand the threat, you have access to additional actions.

Click on Download drop-down tab and select the required format (pdf, json, or csv) to download the threat report. Alternatively, click on the file name in the File Info section to view the download threat file option. To download threat file, see Downloading a Threat File.

Click on Disconnect Network to disconnect the device from the network.

Click on Analyst Verdict drop-down to take the security team's decisions. For more information, see Analyst Verdict.

Select the More Actions drop-down list, which provides other actions you can take on the threat.

You also have other options to analyze the details of threats by scrolling down to the File Info and Summary sections:

• Click on the View events hyperlink to view the capture ATP events.

• Click on the VirusTotal hyperlink to determine if the threat was seen by anyone else. For more information, see Detected Threats.

• Click on the hyperlink pertaining to Seen on network to view the details and number of instances the threat was seen on the network.

• Click Open Policy to navigate to the Threat Protection page.

Click Go Back to navigate to the Threat Lists page.