• Non-malicious files were identified as PUP/PUA at the time of the alert.
• We only categorize as PUP/PUA if two or more of the following vendors identify it as such: Microsoft, Sophos, F-Secure, McAfee, Malwarebytes, Kaspersky, Symantec, McAfee-GW-Edition, BitDefender.
• If two or more vendors do not indicate this categorization, it will be closed as a possible policy violation.

Could be any of the following:

• Unauthorized activity that you are aware of and may have fixed/reverted (e.g. an engineer accidentally makes a resource publicly viewable, but the security team works with them to fix it).
• A non-malicious file NOT identified as PUP/PUA.
• Verified VPN activity, based source/destination IP or other parts of the alert (e.g. activity is on SurfShark VPN binary).
• Piracy, pornography, or a productivity-impacting activity.

• Verified internal testing activity.

• An attacker made an attempt, but no compromise occurred.

You may be advised to take additional steps to mitigate any risk posed by the failed attack, or the attack could be considered "normal" enough (e.g. web scanning) that we do not recommend any additional steps.

• Verified non-malicious activity was triggered by an IT issue, such as failed login attempts after an automated password change process.

• A signature fired on a specific point-in-time activity that it was looking for (i.e. webshell request or psexec activity), but the context of the activity does not represent a threat.
  
  Most behavioral signatures will fall into this category.

• The logic and intent of the signature did not align, and the signature needs to be reworked.
  
  Examples include a login flagged as outside of the US, but the IP address is geolocated to Kentucky; or a binary flagged as malware, but the binary is a signature file.

• Any reason that does not fit into the other categories.
  
  In most cases, a specific close reason is added by an analyst.

• You are unable to make a strong call one way or the other because you lack sufficient evidence.

• The alert or investigation was a confirmed phishing simulation. 
  
  This reason is unique to the Managed Phishing service.

• The alert has been automatically suppressed because it is a known benign issue.

• The alert has been manually suppressed because it is a known benign issue.

• The device is being tuned and is currently suppressed while the tuning process completes.

• The alert has been auto-closed because you have reached the threshold of alerts that can be associated with the investigation.

• The investigation or incident has been confirmed by you as true malicious activity or a valid threat.

• The activity displays qualities of being targeted to your environment.

• The activity displays non-targeted qualities.

• The activity indicates risky, user-driven behavior such as cryptocurrency mining or piracy. 

• The activity is from an unknown threat at the time of promotion.
  
  This status is subject to change during an investigation.

• The activity indicates a compromise of a business email account where the password was compromised, login was successful, and actions were successfully taken on a target.
  
  This status is only used in situations where we can definitively confirm the threat vector was a phishing email and/or there was malicious activity observed within the email account.

• The activity displays non-targeted commodity malware qualities.

• The activity is explicitly confirmed to be associated with red team engagement.

• A password was stolen via credential harvesters, but the login was not successful and no actions were taken on the target (due to being blocked by MFA or conditional access).

• A password was compromised, and login was successful.
  
  This status is used when we cannot identify the threat vector/origin for a phishing email, or when the malicious activity is in your inbox or email account.

• The vector of compromise is a malicious download that occurred while visiting a malicious or compromised website.

• The vector of compromise is phishing activity.

• The vector of compromise is specifically a phishing link.

• The vector of compromise is specifically a phishing attachment.

• The vector of compromise is some type of removable media (like an infected USB drive).

• The vector of compromise is a targeted fraudulent email impersonating a trusted source.

• The vector of compromise is specifically a link in a fraudulent email impersonating a trusted source.

• The vector of compromise is specifically an attachment in a fraudulent email impersonating a trusted source.

• The vector of compromise is watering hole attack via an infected, trusted website.

• The vector of compromise is a software infrastructure attack via a server.

• The vector of compromise is theft of credentials.

• The vector of compromise is an improperly secured resource that was left unintentionally exposed.

• The vector of compromise is unknown.

• The attack occurred during the Cyber Kill Chain's Reconnaissance stage.

• The attack occurred during the Cyber Kill Chain's Delivery stage.

• The attack occurred during the Cyber Kill Chain's Exploitation stage.

• The attack occurred during the Cyber Kill Chain's Installation stage.

• The attack occurred during the Cyber Kill Chain's Command & Control stage.

• The attack indicates Lateral Movement, per the MITRE ATT&CK framework.

• The attack occurred during the Cyber Kill Chain's Action on Objectives stage.

• The stage of the attack is unknown.