Need help transitioning to online platforms? Call us at (310) 267-HELP (4357) or email [email protected].

Incident Response Services

Threat Detection and Identification (TDI)

Using automated technology to identify compromised systems

Threat Detection and Identification (TDI) allows the UCLA IT Security to receive alerts regarding malicious traffic observed within the campus network.

These alerts are the product of FireEye Network, Email, and Host Security detection appliances. The alerts generated by the appliances, investigated and triaged by the FireEye and UCLA IT Security team, and distributed to the relevant campus unit for remediation. 

Using automated technology, the service focuses on threat identification and looks for signs that a system may have been compromised. Upon threat detection, they provide an alert including relevant data about the attack. This evidence includes a limited amount of network traffic related to the attack to help investigate the threat.


The TDI service consists of threat identification using FireEye security technologies:

Network Security (NX) Detection

  • This technology inspects the incoming and outgoing traffic at the campus/internet border and alerts to any Malware, Trojan, or Advanced Persistent Threats (APT). The alerts are classified as High, Medium, or Low, based off severity and threat type. 
  • NX technology is implemented across campus to maximize visibility and alerting.

Email Security (EX) Protection

  • This technology inspects and blocks inbound malicious emails that are destined for any Enterprise Messaging (EM) managed mailbox. 
  • The EX will generate a retroactive security alert in the event that an email is delivered to a mailbox that is determined to be malicious based of new threat intelligence or additional analysis.

Host Security (HX) Forensics

  • This technology is a host-based agent that is installed on servers and primarily functions as a forensic recording agent in the event of a compromise. 
  • The agent collects logs and tracks system changes for forensic investigation in order to provide visibility into the activities and scope of an attack. 

Each alert is investigated by FireEye, and is then provided to the UCLA IT Security Office as an Incident report. The IT Security Office validates the alert and notifies the relevant campus IT unit for remediation.

Remediation Guidance
The IT Security Office will assist units in interpreting the security alert and providing best practices for remediating the affected system.

Service Level Commitments

The IT Security Office will provide units with the following service level commitments: 
Alerting - High severity: 24 hours, Medium severity: 2 days, Low severity: 3 days
Reporting - Campus unit is notified within a day after the initial detection of the threat. 

  • High Severity: Notified via email and phone call. Communication is persistent until IT security receives acknowledgement from the campus unit within 4 hours
  • Medium Severity: Notified via email and phone call within a day of validating the alert. Communication is persistent every day until campus unit acknowledgement is received.
  • Low Severity: Notified via email and communication is repeated every 5 business days until campus unit acknowledgement is received.”

Deployment Model

Deployed in the following environments: 

  • NX – Campus/internet border, VPN, Wifi, and Datacenter networks 
  • EX – All campus Enterprise Messaging (EM) managed mailboxes
  • HX – IT Services managed Windows servers and some campus unit Windows servers (opt-in)

Available to


Eligibility varies per service. Contact your ITCC for details.


Only available for campus departments via service request.


UCLA’s Threat Detection and Identification (TDI) initiative gives UCLA a campus-wide toolset to help manage and reduce cybersecurity risks. The initiative was implemented in a multi-phased deployment of network, email, and host level protection using an array of cybersecurity devices and uses intelligence from many different information sources.

They help manage and reduce cyber security risks by using real-time data about advanced threats and cyberattacks. Using automated technology, they focus on threat identification and signs that a system may have been compromised. Upon threat detection, they provide relevant data about the attack. This evidence includes a limited amount of network traffic related to the attack to help reconstruct what happened during the attack. This valuable information provides intelligence for formulating and developing an effective response that allows UCLA information security professionals to respond quickly to these threats.  UCLA’s various cybersecurity devices and threat intelligence give a common operational picture of campus-wide cybersecurity threats. This is critical in assessing the University’s readiness, as well as reducing overall cybersecurity-related risks.

UCLA’s TDI devices are used to maximize visibility into the cybersecurity threat landscape. These devices also include various advanced forensic tools that can provide more detailed and actionable information regarding cyber threats. These devices detail how threats gain entry and the effect(s) they may have caused. This enables information security professionals to respond faster, more effectively, and help guard against future threats.  Using the automated technology, UCLA’s cybersecurity environment monitors for threats around the clock for the following:

  • Malware, including ransomware, crimeware, and other advanced malware threats that are created for a specific target and/or purpose.
  • Known malicious Internet addresses and websites.
  • Command-and-control (C&C) traffic nodes, which may be how attackers control and manipulate infected computers.
  • IOCs come in many forms including known bad websites, use of covert communications, dangerous metadata, and much more.

No. The cybersecurity devices that UCLA employs promote a strong ability to detect and alert on known threats on a wide-range of applications and systems. This technology is strategically implemented to ensure that no network traffic or system is directly impacted.


There is no cost to the units for the Threat Detection and Identification service.