Correlated Events - Detection Details - Detection Information

Information provided in the Detection Information section may include the following:

  • Activity detected

  • Attack phase

  • Correlation Rule ID (ICID)

  • Detection name

  • Detection rule ID

  • Detection severity

  • Event class

  • Notable Object

  • Protocol

  • Reference

  • Targeted attack campaign

  • Targeted attack related

  • Threat

  • Threat description

  • Detection type

  • Timestamp

  • URL category

  • Virtual Analyzer risk level


Additional information may appear for specific correlated incidents.

Table 1. Detection Types

Detection Types


Correlated Incident

Events/detections that occur in a sequence or reach a threshold and define a pattern of activity

Disruptive Application

Any peer-to-peer, instant messaging, or streaming media applications considered to be disruptive because they may do the following:

  • Affect network performance

  • Create security risks

  • Distract employees


Network and file-based attempts to access information


Adware/grayware detections of all types and confidence levels

Malicious Behavior

Behavior that definitely indicates compromise with no further correlation needed, including the following:

  • Positively-identified malware communications

  • Known malicious destination contacted

  • Malicious behavioral patterns and strings

Malicious Content

File signature detections

Malicious URL

Websites that try to perform malicious activities

Suspicious Behavior

Behavior that could indicate compromise but requires further correlation to confirm, including the following:

  • Anomalous behavior

  • False or misleading data

  • Suspicious and malicious behavioral patterns and strings