Capture Client Monitoring with Dashboard, Threats and Applications

Threat Investigation > Detected Threats
Table of Contents

Detected Threats

You can select individual threats for details of that threat and actions taken by SonicWall Capture Client. You can also see the current status of the threat and in some instances, you are given a list of options for further actions, including Mark as In Progress, Mark as Resolved, Add to Exclusions, and Add to blacklist and so on.

If you click on a threat that was only detected, it shows a page as given below. Under the Actions section, you can see that the Threat has only been detected. It shows that the reason for non-prevention of the threat is because the policy is set to Detect (Alert only) threats. It does not Protect (Kill & Quarantine).

  • By looking at File Info section, you can see the file name, path, and the device on which it was detected, as well as device details such as IP address and time of detection and alerting.

  • The Threat Indicators section displays the reasons for the engine to detect the incident. Indicators are generated based on analysis of the threat. The indicators display the behaviors the engine detected as malicious or suspicious. These include:

    • Abnormalities

    • Boot Configuration Update

    • Discovery

    • Evasion

    • Exploitation

    • Execution

    • General

    • Hiding/Stealthiness

    • Impersonation

    • InfoStealer

    • Injection

    • Lateral Movement

    • Malware

    • Packer

    • Persistence

    • Post Exploitation

    • Privilege Escalation

    • Process Injection

    • Ransomware

    • Reconnaissance

  • To determine if this threat was seen by anyone else, you can click on the VirusTotal link in the summary section to open a browser window with a search against the VirusTotal database for the SHA1 Hash of the file.
    • Check the signing authority for the file. If it is a legitimate organization and is verified, this may be a false positive. But some threats steal legitimate certificates for signing malware code.
    • The detection engine reflects which engine enabled via the policy actually detected this threat.
  • If you deem that the threat is real, you can immediately kill and quarantine the threat using the Kill link located in the More Actions section.
  • If you are not sure and would like to investigate further, you can contain the threat from spreading to other endpoints or from causing network-based impact (like exfiltration of data). You can also logically disconnect the endpoint from the network by clicking on the Disconnect Network button. This ensures that the endpoint can talk to the Capture Client Management Console but not to any other destination. You can reset this action by clicking on the button again which is now labeled Reconnect to Network.

  • If the file looks like a legitimate file to your organization (custom app/script), then you can mark it as benign by clicking on More Actions and selecting Mark as benign.

  • If the file is determined as malicious, you can also select More Actions > Add to Blacklist to mark it as a legitimate threat across the organization. In this case the Analyst  Verdict is set as True Positive. This reduces the need to do any analysis on this threat if it is seen again.

  • If you create an exclusion for threats (More Actions > Add to Exclusions), the Analyst Verdict automatically changes to False Positive and the Status is set to Marked as Benign.