TDR Remediation Actions and Threat Scores
When a TDR Host Sensor identifies a threat, the TDR analytics engine assigns a Threat Score. To reduce the Threat Score, you can allow a Host Sensor to execute a remediation action. Or, if the indicator is for a file or process you consider safe, you can add it to the Allowlist.
- If you add an indicator to the Allowlist, the indicator score changes to 0 (Known Good).
- If a Host Sensor completes the action required to remediate an indicator, the indicator score changes to 1 (Remediated).
To remediate each indicator type, the Host Sensor must complete a specific action.
|Indicator type||Possible Actions||Action Required to Remediate|
Delete Registry Value
|Delete Registry Value|
|Host Ransomware Prevention||Quarantine File
You can also select the Mark as externally remediated action for an indicator if you have taken some other action to remediate the threat. When an indicator is marked as externally remediated, the threat score changes to 1.
You can see remediated indicators on the Remediations page. For more information, see Monitor TDR Remediations.
The Sandbox File Action
If the Host Sensor detects suspicious files that do not match a known threat, it requests the Sandbox File action. The Sandbox File action allows Host Sensors to upload suspicious files to a secure sandbox for APT Blocker analysis. Based on the result of the analysis, TDR can increase the score of an indicator so that configured Remediation polices can automatically allow the remediation action. For more information, see TDR Sandbox Analysis by APT Blocker.
We recommend that you configure a combination of Sandbox and Remediation policies. Your TDR account includes default policies that are configured with recommended settings. For more information, see Recommended TDR Policies.