Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

How To Manage Dell Threat Defense

Summary: This article contains information about how to manage Dell Threat Defense.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

Note:

The Dell Threat Defense console is responsible for the management of policies, threats, builds, and organization of an environment’s Dell Threat Defense deployment.

The environment requires an active subscription for access. For further information about how to obtain a subscription, reference the Dell Threat Defense product page.

Upon purchase of Dell Threat Defense, an email with login information to the Threat Defense console is sent out to the purchaser. The console sites for Dell Threat Defense are:


Affected Products:

Dell Threat Defense


Cause

Not applicable.

Resolution

The Threat Defense console is divided into six sections:

  • Dashboard
  • Protection
  • Zones
  • Devices
  • Reports
  • Settings

Click a section for more information.

The Dashboard displays on login to the Dell Threat Defense console. The Dashboard provides an overview of threats in the environment and provides access to different console information from one page.

Dashboard

Threat Statistics

Threat Statistics provide the number of threats that are found within the Last 24 Hours and the Total for your organization. Clicking a Threat Statistic takes you to the Protection page and displays the list of threats that are related to that statistic.

  • Running Threats: Files that are identified as threats that are currently running on devices in your organization.
  • Auto-Run Threats: Threats that are set to run automatically.
  • Quarantined Threats: Threats that are quarantined within the last 24 hours and the total.
  • Unique to Cylance: Threats that are identified by Cylance but not by other anti-virus sources.

Protection Percentages displays an overview for Threat Protection and Device Protection.

Threat Protection

  • Threat Protection: The percentage of threats you have taken action on (Quarantine, Global Quarantine, Waive, and Safe Lists).

Device Protection

  • Device Protection: The percentage of devices associated with a policy that has Auto-Quarantine enabled.

Threats by Priority displays the total number of threats that require an action (Quarantine, Global Quarantine, Waive, and Safe Lists). The threats are grouped by priority (High, Medium, and Low).

Threats by Priority

A threat is classified as Low, Medium, or High based on the number of the following attributes it has:

  • The file has a Cylance score greater than 80.
  • The file is currently running.
  • The file has been run previously.
  • The file is set to auto run.
  • The priority of the zone where the threat was found.

Threat classifications

Threat Events displays a line graph with the number of threats that are discovered over the last 30 days. Lines are color coded for Unsafe, Abnormal, Quarantined, Waived, and Cleared files.

Threat Events

Threat Classifications displays a heat map of threat types that are found in an environment. Clicking an item jumps the administrator to the Protection section and displays a list of threats of that type.

Threat Classifications

Top Five Lists display Unsafe Threats in an environment that have not been acted upon. Most of the time these lists should be empty.

Top Five Lists

The Protection section is used to evaluate and manage threats affecting devices using Dell Threat Defense. Select the appropriate step below for more information.

Protection

The Dell Threat Defense console provides an in-depth evaluation on "unsafe" or "abnormal" files to help administrators properly mitigate threats in their environment.

To evaluate a file:

  1. In the console, click the Protection tab.

Protection

  1. Under Protection, click a threat to obtain more information.

Evaluating threat stats

Cylance Score: A score of 1 (limited) -100 (high) is assigned by Cylance based on threat attributes.

Quarantined by users in [Tenant]: What actions on file have been taken by users within the environment (Tenant).

Quarantined by all Cylance users: What actions on the file have been taken by users within all Cylance environments.

Classification: General identification of file/threat.

Threat timestamp

First Found: When the file was first found in the environment

Last Found: When the file was last found in the environment

Threat Actions

Global Quarantine: Adds a file to the global quarantine list for the environment. Any time the file appears on a device it will automatically be quarantined in the \q folder.

Safe: Adds a file to the safe list for an environment. If a file is currently quarantined, it will automatically place it back in its original location.

SHA256: The 256 cryptographic hash used to identify the file/threat. An administrator can click the hash to perform a Google search of known occurrences.

MD5: The 128 cryptographic hash used to identify the file/threat. An administrator can click the hash to perform a Google search of known occurrences.

Note: A file/threat may have only known SHA256 or MD5 occurrences. Both are listed to ensure that a comprehensive view is given on the file/threat.

Download File: Allows an administrator to download the file for further evaluation and testing.

Threat Confidence Levels

Cylance Score: A score of 1 (limited) -100 (high) is assigned by Cylance based on threat attributes.

AV Industry: Determines if third-party anti-virus engines identify the file as a threat by checking the virustotal.com index.

Search Google: Searches Google for the hashes and filename for more information about the file/threat.

There may be files that are incorrectly identified as threats within an environment. Administrators can add them to the global safe list to prevent them from being quarantined. Any file that is quarantined before being safe-listed returns to its original location.

Note: Before safe listing an item, it is highly recommended to evaluate a threat.

To safe list a file:

  1. In the console, click the Protection tab.

Protection

  1. Under Protection, check the threat to be safe-listed and then click Safe.

Safe

  1. From the Action Confirmation pop-up, select a file Category from the drop-down menu. This helps with file/threat classification.

Action Confirmation

  1. Populate a Reason for the safe-listing. This provides visibility across the environment.
  2. Click Yes to confirm safe-listing.
Note:
  • Previous safe-listed items can be reviewed and modified at any time under the Settings > Global List section of the Dell Threat Defense console.
  • Files can be safe-listed at the global, policy, or device level. In our example, we safe-listed at the global level.

An administrator may proactively quarantine a file from targeting their devices by adding it to the global quarantine list.

To globally quarantine a file:

  1. In the console, click the Protection tab.

Protection

  1. Under Protection, check the threat to be safe-listed and then click Global Quarantine.

Global Quarantine

  1. In the Action Confirmation pop-up, populate the Reason for the quarantine. This helps provide visibility to other administrators and zone managers.
  2. Click Yes to confirm Global Quarantine.
Note:
  • Previous quarantine items can be reviewed and modified at any time under the Settings > Global List section of the Dell Threat Defense console.
  • Files can be safe-listed at the global or device level. In our example, we quarantined at the global level.

Zones are used to create containers responsible for the management and organization of devices. For more information, reference How to Manage Zones in Dell Threat Defense.

Zones

The Devices section is used to add, manage, and report on devices (agents) within an environment using Dell Threat Defense. The most common actions in this section are Downloading the Installer, Obtaining an Installation Token, Enabling Verbose Logging, and Removing a Device. Click the appropriate step for more information.

Devices

The Dell Threat Defense installer is available directly within the tenant. For steps on how to download Dell Threat Defense, reference How to Download Dell Threat Defense.

In order to install Dell Threat Defense on a device, a valid installation token must be obtained from tenant. For steps on how to obtain an installation token, reference How to Obtain an Installation Token for Dell Threat Defense.

By default, devices contain limited logging for Dell Threat Defense. It is highly recommended to enable verbose logging on a device before troubleshooting or contacting Dell Data Security ProSupport. For more information, reference Dell Data Security International Support Phone Numbers. For more information about how to enable verbose logging, reference How to Enable Verbose Logging in Dell Threat Defense.

Devices are not automatically removed from the Dell Threat Defense console during uninstall. An administrator must manually remove the device from the tenant console. For more information, reference How to Remove a Device from the Dell Threat Defense Administration Console.

The Reports offer Summary and Detail reports to provide overviews and details that are related to devices and threats in an organization.

Reports display threats in an event-based manner. An event represents an individual instance of a threat. For example, if a particular file (specific hash) is located in three different folder locations on the same device, the threat event count will equal 3. Other areas of the Console, such as the Threat Protection page, may display threat counts for a particular file based on the number of devices on which the file is found, regardless of how many instances of the file are present on any given device. For example, if a particular file (specific hash) is located in three different folder locations on the same device, the threat count will equal 1.

Reporting data is refreshed approximately every three minutes. Click Threat Defense Overview, Threat Event Summary, Device Summary, Threat Events, or Devices for more information.

Reports

Provides an executive summary of an organization’s Dell Threat Defense usage, from the number of zones and devices, to the percentage of devices covered by Auto-Quarantine, Threat Events, Agent versions, and Offline Days for devices.

Threat Defense Overview

Zones: Displays the number of zones in the organization.

Devices: Displays the number of devices in the organization. A device is an endpoint with a registered Threat Defense Agent.

Policies: Displays the number of policies that are created in the organization.

Files Analyzed: Displays the number of files analyzed in the organization (across all devices in the organization).

Threat Events

Threat Events: Displays a bar chart with Unsafe, Abnormal, and Quarantined threat events, grouped by day, for the last 30 days. Hovering over a bar in the chart displays the total number of threat events that are reported on that day.

Threats are grouped by the Reported On date, which is when the Console received information from the device about a threat. The Reported On date may differ from the actual event date if the device was not online at the time of the event.

Devices - Dell Threat Defense Agent Versions

Devices - Dell Threat Defense Agent Versions: Displays a bar chart representing the number of devices running a Threat Defense Agent version. Hovering over a bar in the chart displays the number of devices running that specific Threat Defense Agent version.

Offline Days

Offline Days: Displays the number of devices that have been Offline for a range of days (from 0-15 days, up to 61+ days). Also displays a bar chart color-coded with each range of days.

Auto-quarantine coverage

Devices - Dell Threat Defense Agent Versions: Displays a bar chart representing the number of devices running a Threat Defense Agent version. Hovering over a bar in the chart displays the number of devices running that specific Threat Defense Agent version.

The Threat Event Summary Report shows the quantity of files that are identified in two of Cylance’s threat classifications: malware and PUPs (potentially unwanted programs) and includes a breakdown to specific subcategory classifications for each family. In addition, the Top 10 lists File Owners and Devices with Threats display threat event counts for the Malware, PUPs, and Dual Use threat-families.

Threat Event Summary

Total Malware Events: Displays the total number of malware events that are identified in the organization.

Total PUPs Events: Displays the total number of PUP events that are identified in the organization.

Unsafe/Abnormal Malware Events: Displays the total number of Unsafe and Abnormal malware events that are found in the organization.

Unsafe/Abnormal PUP Events: Displays the total number of Unsafe and Abnormal PUP events that are found in the organization.

Malware Event Classifications

Malware Event Classifications: Displays a bar chart with each type of malware classification for threat events that are found on devices in the organization. Hovering over a bar in the chart displays the total number of malware events that are found for that classification.

PUP Event Classifications

PUP Event Classifications: Displays a bar chart with each type of Potentially Unwanted Program (PUP) classification for threat events that are found on devices in the organization. Hovering over a bar in the chart displays the total number of PUP events that are found for that classification.

Top 10 File Owners with the Most Threat Events

Top 10 File Owners with the Most Threat Events: Displays a list of the top 10 file owners who have the most threat events. This widget displays events from all Cylance file-based threat families, not just Malware or PUP events.

Top 10 Devices with the Most Threat Events

Top 10 Devices with the Most Threat Events: Displays a list of the top 10 devices that have the most threat events. This widget displays events from all Cylance file-based threat families, not just Malware or PUP events.

The Device Summary Report shows multiple device-centric measures of importance. Auto-Quarantine Coverage reveals threat prevention coverage and can be used to show progress. Devices - Threat Defense Version Stats can identify older Threat Defense Agents. Offline Days may indicate devices that are no longer checking in to the Threat Defense Console and are candidates for removal.

Total Devices

Total Devices: Displays the total number of devices in the organization. A device is an endpoint with a registered Threat Defense Agent.

Auto-quarantine Coverage

Auto-Quarantine Coverage: Displays the number of devices with a policy that has both Unsafe and Abnormal selected for Auto-Quarantine; these devices are considered Enabled. Disabled devices are assigned to a policy that has one or both of these options disabled. The pie chart displays the percentage of devices that are assigned to a policy with Auto-Quarantine disabled for Unsafe, Abnormal, or both.

Devices - Dell Threat Defense Agent Versions

Devices - Dell Threat Defense Agent Versions: Displays a bar chart representing the number of devices running a Threat Defense Agent version. Hovering over a bar in the chart displays the number of devices running that specific Threat Defense Agent version.

Offline Days

Offline Days: Displays the number of devices that have been Offline for a range of days (from 0-15 days, up to 61+ days). Also displays a bar chart color-coded with each range of days.

The Threat Events Report provides data for threat events that are found in the organization. Threats are grouped by the Reported On date, which is when the Console received information from the device about a threat. The Reported On date may differ from the actual event date if the device was not online at the time of the event.

# of Threat Events

# of Threat Events: Displays a bar chart displaying threat events reported in the organization. Hovering over a bar in the chart displays the total number of threat events that are reported on that day. The bar chart displays the last 30 days.

Threat Events Table: Displays threat event information.

The Device Report shows you how many devices you have for an operating system family (Windows, and macOS).

Devices

# of Devices by OS: Displays a bar chart with devices that are organized by major operating system groups (Windows and macOS). Hovering over a bar in the chart displays the total number of devices in that operating system group.

Devices Table: Displays a list of device names, and device information, for devices in the organization.

The Settings section is used to manage device policies, console access, configure updates, and generate audit reports. The most common actions in this section are Adding an Uninstall Password, Adding Console Users, Adding Device Policy, Generating Reports, and Configuring Updates. Click the appropriate step for more information.

Settings

As an added layer of security, a Dell Threat Defense administrator can force Threat Defense device’s to require a password to uninstall the application. For more information, reference How to Add or Remove an Uninstall Password in Dell Threat Defense.

The base configuration only has the initial purchaser listed as an administrator to the Dell Threat Defense console. For more information, reference How to Add Users to the Dell Threat Defense Administration Console.

Device policies are essential in the functionality of Dell Threat Defense. The base configuration has advanced threat prevention features turned off in the "default" policy. It is important to modify the "default" policy or create a new policy before deploying Threat Defense. For more information, reference How to Modify Policies in Dell Threat Defense.

The Dell Threat Defense console offers an easy way to generate a report on the status of threats in an environment. For more information, reference How to Generate Reports in Dell Threat Defense.

The base configuration for the Dell Threat Defense console automatically updates devices to the latest build. A Threat Defense Administrator can optionally deploy builds to test and pilot zones before production. For more information, reference How to Configure Updates in Dell Threat Defense.


To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

 

Affected Products

Dell Encryption, Dell Threat Defense
Article Properties
Article Number: 000126398
Article Type: Solution
Last Modified: 19 Dec 2022
Version:  10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.