Navigating Protection Workspace console

The Protection Workspace provides a visual representation of threat incidents in your environment and device compliance data, all from a single dashboard using several panes. You can quickly identify threats detected in the environment and seamlessly navigate to any impacted device to remediate the threat.

Protection Workspace bar

The Protection Workspace bar displays these details.

Item Description
Devices Total number of devices tracked by the McAfee ePO server. Systems that have never communicated with McAfee ePO are not included in the count.
Escalations Total number of devices that are tagged as escalated. Select a device to view Escalated Devices. System is escalated if more than 5 threats are detected in 24 hours.
Update Data on the back-end is automatically refreshed every 60 seconds, and the interface is automatically refreshed every 5 minutes. Click the refresh button to manually redisplay the Protection Workspace with the latest updates.
Settings Use to adjust the Security Content Color Thresholds and Check-In Failure Color Thresholds to customize the security levels for your environment.

Data Protection Overview pane

The Data Protection Overview pane displays these details.

Item Description
Critical Incidents Total number of data protection incidents with critical severity for the selected time period. Arrow indicates the trend. Select the value to see incident details.
Major Incidents Total number of data protection incidents with major severity for the selected time period. Arrow indicates the trend. Select the value to see incident details.
Other Incidents Total number of other data protection incidents for the selected time period. Arrow indicates the trend. Select the value to see incident details.

You can click the number of incidents or on the type of incidents to see the list of incidents in the Protection Overview page. The page is divided into several parts to more easily manage incidents:

  • Filter By — Filter incidents by their severity, status, resolution, the incident type, the user who triggered the incident, the classification criteria that is identified when a rule is triggered, the user logged in when the incident was generated, and the rule set.
  • Incidents — View all incidents, the details of individual incidents, and search for an incident.
  • Incident Details — View details about an individual incident and change its status, severity, resolution, or assign a reviewer. You can further manage incidents from the additional panes that open to the right of the Incident Details pane when you click to take an action.

Threat Overview pane

The Threat Overview pane displays these details.

Item Description
Escalated Devices Total number of devices that received a threat over the past 7 days. System is escalated if 5 or more threats are detected in 24 hours.
Resolved Threats Total number of threats that were resolved in the past 7 days.

Basic — Detected by products like McAfee VirusScan Enterprise, McAfee® Endpoint Security Threat Prevention, and Microsoft Windows Defender.

Advanced — Detected by products with advanced detection techniques like McAfee® MVISION Endpoint and McAfee® Endpoint Security Adaptive Threat Protection (ATP).

Unresolved Threats Total daily count of unresolved threats. Arrow indicates the trend over the past 7 days.
Report Only Detections Total and daily counts of report-only detections over the past 7 days. Arrow indicates the trend. Select the value to open the details for total or daily threat events.
Encryption Events Total number of encryption events with critical and major severity over the past 7 days. Arrow indicates the trend. Select the value to open the details for total or daily threat events.

Activity Filters

From the Threat Overview pane, you can drill down to view the device details and the top 5 threats. Select a threat to open the Threat Details pane, and view details about the threat.

Threat Details

The Threat Details pane displays the details of the selected threat.

Item Description
Threat Details Displays these basic information about the selected threat event.
  • Name
  • File Name
  • Analyzer Detection Method
  • Reporting Product Name
  • First seen in network
  • Last seen in network
  • Prevalence
  • Age
Advanced Details Displays the in-depth information about the selected threat event.
  • Agent GUID
  • Event Generated Time
  • Event Category
  • Event ID
  • Threat Severity
  • Threat Type
  • Action Taken
  • Threat Target Host Name
  • Threat Source Process Name
  • Event Description
Affected Devices Displays the list of devices affected by the selected event.
Story Graph (Trace Summary) Displays the trace summary for the selected event.

Compliance Overview

The Compliance Overview pane displays these details.

Item Description
Security Content

Status of the security content in the environment.

Here's how the compliance status is calculated for these items:

McAfee Endpoint Security AMCore — Number of systems with AMCore content compliant or noncompliant.

  • Compliant — The AMCore content creation date is less than 7 days old.
  • Non-Compliant — The AMCore content creation date is more than 7 days old.

McAfee Endpoint Security Exploit Prevention — Number of systems with Exploit Prevention content compliant or noncompliant.

  • Compliant — Enabled state in policy matches the enabled state on client system.
  • Non-Compliant — Enabled state in policy doesn't match the enabled state on client system.

McAfee DAT — An endpoint is considered compliant if the DAT Date is within 7 days from today. For example, if today is July 19, endpoints with a DAT date of July 13 or later are compliant.

Microsoft Windows Defender — An endpoint is considered compliant if the Anti-Virus Signature Last Updated date is within 7 days from today. For example, if today is July 19, endpoints with a DAT date of July 13 or later are compliant.

For McAfee DAT and Microsoft Windows Defender, the endpoint reports the date, which can be viewed on the Products tab of the System Information page.

Software Status Status of the individual products deployed in the environment. For example, McAfee Endpoint Security, McAfee Agent, and McAfee MVISION Endpoint. The devices are color-coded to indicate the health of the security status (health) of the device.
Device Management

Check-in Failure indicates the number of devices that haven't checked in to the McAfee ePO server for more than 15 days.

Managed Devices without Protection indicates the number of devices that don't have these antimalware products installed: Threat Prevention, MVISION Endpoint, or VirusScan Enterprise.

Managed Devices indicates the total number of managed devices over the past 7 days.

View the number of devices that have communicated with McAfee ePO at least once. Systems that have never communicated with McAfee ePO are not included in the count.

Important: The systems that never communicated with McAfee ePO appear in the System Tree and not in the Protection Workspace.

Devices

The information that appears in the Devices pane changes depending on the category you select:

  • Devices
  • Escalations (default view)

You can view your devices by tags, by System Tree view, or as a list. Use the search feature to quickly find a device.

Important: The systems that never communicated with McAfee ePO appear in the System Tree and not in Protection Workspace.

Device Details

From the Devices pane, you can drill down to view the device details and the top 5 threats. Select a threat under Recent Threat Events to open the Threat Details pane, and view details about a specific threat.