I have an AV event of minor severity. Under 'handled', it says 'true'. On the same event properties screen, it says that 'this is not an IPS event', and that 'event was NOT blocked.'
I take this to mean that the threat has been neutralized by AV, since handled was true, and that, since it was not an IPS event, it is not a concern that it was not blocked.
If you're able to get the actual event ID that's being interpreted here, I could tell you if the threat was handled or if the system warrants a closer look.
I have found the answer for this.
If you have an AV event that does not precipitate a specific action to be taken, it will merely be logged. So , in the case above, an event of minor severity was noted, and addressed by AV. In this case, it was merely logged. Therefore, it was considered to have been "handled" .
It was not an IPS event, but that is not what determined that it was blocked or not blocked. If AV policy were set to block minor severity events on the ePO server in question, it would have been blocked and would have reported as having been blocked.