I want to know why SIEM categorizes an ePO Exploit event like a "not blocked" Buffer Overflow attempt even if the custom type threat_handled comes is "yes".
What should I conclude about a "not blocked" BO attempt and a "threat_handled: yes", because I can't see the logic applied here.
I'll be grateful for any answers regarding this.
From (poor) memory you have your Agent configured in non-blocking mode for the buffer overflow event. So the threat is handled in accordance with your configuration.