Building file prevalence using Observe mode

Build file prevalence to determine how often files are seen in your environment.

You can see what is running in your environment and add file and certificate reputation information to the TIE server database. This information also populates the graphs and dashboards available in the module where you view detailed reputation information about files and certificates.

To get started, create one or more Adaptive Threat Protection policies to run on a few systems in your environment. The policies determine:

  • When a file or certificate with a specific reputation is allowed to run on a system
  • When a file or certificate is blocked
  • When an application is contained
  • When the user is prompted for what to do
  • When a file is submitted to Advanced Threat Defense for further analysis

While building file prevalence, you can enable Observe mode on client systems. File and certificate reputations are added to the database and Would Block, Would Clean, and Would Contain events are generated, but no action is taken. You can see what Adaptive Threat Protection blocks, allows, or contains if the settings were enforced.