Scenario 1:
MVISION EDR publishes newly seen threats and threats with an updated severity for consumption by third-party tools, including ESM, to the Activity Feed. If a previously published threat is reported again without an increase in severity, the threat isn’t published to the activity feed.

For example:
You have a threat named malware.exe first reported on 20 July 2021 to EDR from Host A with a severity of Medium. This event is published to ESM. Between 20 July to 30 July, the same malware.exe threat is generated on 10 different hosts without any change in severity (Medium). In this case, none of the events are published to ESM.

On 31 July, Host B generates the same threat again, and post analysis finds that the threat is of High severity. If you select malware.exe under Potential Threat in the EDR console, and then go to the Threat Details tab, you see that Host B reports High threat. But all other previous Host entries display as Medium. Because the severity changed from Medium to High, you see this event present in your ESM console.

If the same High severity event is generated more than once, or if the severity decreased within EDR from High to Medium, the event isn’t reported to ESM. This functionality gives more accurate data to the ESM console so your SOC analyst only the required information rather than multiple repeated events.

Scenario 2:
MVISION EDR Business events such as EDR.UI - dashboard are operational events that aren’t reported in the EDR Monitoring dashboard. But, they’re published to the EDR Activity feed and collected in ESM.