G DATA 365 | Managed EDR

Overview of an incident

Each incident can be viewed on an overview page, where all important information can be found at a glance.

G DATA 365 | Managed EDR Overview

Color coding of the status of recommended actions (→ Priority) and incidents (→ Impact)

To ensure that important recommendations for action immediately stand out from less important information, both incidents and recommended action are rated according to importance with corresponding color coding.

An incident can be indicated by these statuses

grün
If the incident has a green status, there is nothing for you to do. In this case, G DATA was able to eliminate the danger and there are no tasks for you to perform.

gelb
If the incident has a yellow status, you must perform an action. The action is not urgently required, but should be carried out eventually.

rot
If the incident has a red status, it is urgent that you perform an action.
This action should not be delayed.

grau
If the incident has a gray status, G DATA is currently busy solving the problem. After the G DATA Security Analysts have completed the process, the status changes to red, yellow or green.

The status of an incident or a recommended action

Status refers to the current processing status. Some statuses are set automatically by our cloud backend. These include:

New
This status means that a new incident has been reported to the portal but has not yet been investigated. An incident also receives the status New if it already had a different status but a new alert has been added.

Solved automatically
This status means that no G DATA Security Analysts are required to close the alert. This is the case, for example, if a file known to be infected was to be downloaded from the Internet, but the G DATA Agent has prevented the download. In this case, no G DATA Security Analysts need to intervene and the alert receives the status Automatically resolved.

Some statuses are set manually by the G DATA Security Analysts. These include:

In progress
This status means that an G DATA Security Analysts is currently investigating the incident. As soon as the investigation is completed, the analyst will change the status.

Solved
This status means that a G DATA Security Analysts has completed work on the incident. However, it is possible that the customer still has open recommended actions.

Deferred
This status is set if a G DATA Security Analysts cannot continue working at this time because they are waiting for feedback or for customers to carry out recommended actions.

Priority

An incident can have the priority low, medium or high. By default, the incident is given the priority Medium. In some cases, the prioritization is changed manually by the G DATA Security Analysts. If the priority High has been assigned, a G DATA Security Analysts may be waiting urgently for feedback or for a recommended action to be taken. In this case, you will see a red status marker for the incident.

The recommended actions

In the right block of the overview, you will see a list of all recommended actions relating to this incident.

Recommended actions are given to you by our G DATA Security Analysts for an incident.

This can be

  • simple tips and tricks to avoid incidents,

  • Simple tasks that need to be carried out (such as a reboot),

  • or complex actions that are necessary to prevent or limit damage as quickly as possible.

The Action column

Haken Blau
Ist der Haken in dieser Spalte blau, wurde die Handlungsempfehlung von Ihnen noch nicht als erledigt gekennzeichnet. Wenn Sie den blauen Haken klicken, kennzeichnen Sie die Handlungsempfehlung als Erledigt.

Rueckgaengig Blau
If the tick in this column is blue, you have not yet marked the recommended action as completed. If you click on the blue tick, you mark the recommended action as completed.

Details page recommended actions Click on the row of recommended actions to open the details page.

Show screenshot
G DATA 365 | Managed EDR Overview

On this page you can see the recommended action with full text. On this page you can also mark the recommended action as "Completed". To do this, click on Close now.

Security alarm (Alert)

In the lower block of the general overview, you will find the list of alerts assigned to this incident.

Name column
These are the names that the sensor was able to assign to thes security events. For example, a virus name.

End point column
The endpoints on which security alerts have occurred are specified here. If several alerts have occurred for an endpoint, you will see the same endpoint in each row.
It can happen that sensors on different endpoints have issued an alarm and these can all be assigned to one security incident. In this case, you will see different endpoints displayed in this column.

Column affected artifacts
Here you can see which files or processes were affected by this incident.

Date column Date and time of the security alarm.

Status column Here you can see the status of the alert.

Classification column This column shows you whether the alarm is a permitted alarm (True Positive) or a false alarm (False Positive).

Detail page Alert

Mit einem Klick auf die Zeile der Alerts öffnet sich die Detailseite.

Show screenshot
G DATA 365 | Managed EDR Overview

The details page shows you a summary of the most important information, such as:

  • The name transmitted by the reporting sensor.

  • When the alarm occurred.

  • What status he has.

  • How it was classified.

Under Affected artifacts, you can see which file or process the G DATA Agent’s sensor has hit and its reaction to it.

In our example (see screenshot), a file was recognized and moved to quarantine.

If we were able to determine a SHA256 hash value, it will also be displayed here.