Hi,
Can someone tell me the difference between threat dismissed and threat cleaned up? we do have a siem tool in which sophos logs are integrated. Looking on the sophos logs i could see various action performed by the sophos on malware. Below are the list:
Event::Endpoint::Threat::Detected
Event::Endpoint::Threat::CleanedUp
Event::Endpoint::Threat::Dismissed
Event::Endpoint::Threat::CleanupFailed
Here is the sample log of the threat dismissed:
What does it actually mean? Does it mean that the malware was present on the host and it successfully cleaned or is it that sophos does not have the access to the file and dismissed.
2017-10-18T04:49:15.538Z rt="2017-10-18T04:49:15.538Z"; endpoint_id="XXX3-f3e0-348b-f8fe-XXXXX"; end="2017-10-18T04:49:14.000Z"; severity="low"; duid="5XXXXXX the threat?5b"; whitelist_properties="{}"; dhost="XXXXX"; endpoint_type="computer"; threat="JS/FakeAle-SG"; suser="XXXX"; group="MALWARE"; customer_id="e2d5ae87-30a1-94fc-c9af-abf897302372"; type="Event::Endpoint::Threat::Dismissed"; id="cXXX-686c-XXX-5XXc-aa51b2a7b9fe"; name="Malware locally cleared: 'JS/FakeAle-SG' at 'C:\XXXXXXta\Local\GooglXXX\User Data\Default\Cache\f_001d18'";
In certain scenarios i would get threat dismissed logs directly for certain signature on host even without getting the detected logs. Can someone shed light on this scenario
Summing up my understanding here
If the malware has initiated on host and sophos detects it it would come under the category threat detected
If the malware was cleaned up it would come under the category Threat::CleanedUp
If the malware was not cleaned up it would come under the category Threat::CleanedUp failed
If the malware not initiated and sophos able to clear it will it come under the Threat::Dismissed . is this assumption right?
Please help
This thread was automatically locked due to age.