The admin or IR creates rules using certain indicators to track suspicious security events on host computers. These events may be related to system processes, files, IP address, registry keys or many other indicators. When you create a rule, you define the conditions that must be met for the selected indicators. After the rule is saved and applied, whenever the activities on any endpoint matches with the indicators given in any rule, an alert is generated and displayed on the Seqrite HawkkHunt console. An endpoint can have more than one alert. Similar alert can get generated on multiple endpoints. An admin or IR may create multiple rules and apply, thereby creating many alerts for a single host. A host may have a number of alerts generated which may be of high, low or medium severity.
The system can also generate Behavior Anomaly Alerts. By leveraging AI and Machine Learning, the system generates models of typical behavior for endpoints and issues alerts whenever anomalies (outlier processes on endpoints) are detected.
Furthermore, third-party systems such as firewalls and e-mail platforms may also generate alerts based on detection algorithms or behavior anomalies.