Configuring incidents

  • When protection is enabled against certain threats, it systematically generates incidents during an attack. This is especially the case for process hollowing, execution flow hijacking and heap spraying, among others. In addition, protection rules are configured by default to generate incidents when actions are blocked, or even during suspected attacks that are not severe enough to be blocked. For more information, see the section Managing vulnerability exploitation.
  • In the detailed context of incidents, the size, perimeter, type and frequency of reporting to the agent handler can be configured for each individual agent group. For further information, refer to the section Configuring detailed incidents generated by agents.