Contents

TDR Remediation Actions and Threat Scores

When a TDR Host Sensor identifies a threat, the ThreatSync analytics engine assigns a Threat Score. To reduce the Threat Score, you can allow a Host Sensor to execute a remediation action. Or, if the indicator is for a file or process you consider safe, you can add it to the Whitelist.

  • If you add an indicator to the Whitelist, ThreatSync changes the indicator score to 0 (Known Good).
  • If a Host Sensor completes the action required to remediate an indicator, ThreatSync changes the indicator score to 1 (Remediated).

Remediation Actions

To remediate each indicator type, the Host Sensor must complete a specific action.

Indicator type Possible Actions Action Required to Remediate
File Quarantine File
Kill Process
Quarantine File
Process Quarantine File
Kill Process
Quarantine File
Registry Quarantine File
Kill Process
Delete Registry Value
Delete Registry Value
Host Ransomware Prevention Quarantine File
Kill Process
Quarantine File

You can also select the Mark as externally remediated action for an indicator if you have taken some other action to remediate the threat. When an indicator is marked as externally remediated, ThreatSync changes the threat score to 1.

You can see remediated indicators on the Remediations page. For more information, see Monitor TDR Remediations.

The Sandbox File Action

If the Host Sensor detects suspicious files that do not match a known threat, it requests the Sandbox File action. The Sandbox File action allows Host Sensors to upload suspicious files to a secure sandbox for APT Blocker analysis. Based on the result of the analysis, ThreatSync can increase the score of an indicator so that configured Remediation polices can automatically allow the remediation action. For more information, see TDR Sandbox Analysis by APT Blocker.

We recommend that you configure a combination of Sandbox and Remediation policies. Your TDR account includes default policies that are configured with recommended settings. For more information, see Recommended TDR Policies.

See Also

About TDR Threat Scores

Manage TDR Indicators

Monitor TDR Remediations

Configure TDR Policies

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search