Infocyte: ARR Alert Management

Description

All EDR's are noisy tools, and we at SonicSentry rely on that noise and data to accurately detect and respond to activities within your environment.  We have dedicated experts disseminating what's benign, what's expected behavior for routine updates, and what activities need additional attention paid to them.  

 

Saying that, YOU know your environment, what's permitted, and what's not.  You can play a role in keeping a clean and relevant baseline in your environment, as well as singling out unapproved use of controlled tools by playing an active role in Alert Management within your environment.

 

Alert Dashboard

The default view of the Alerts page is set to show ONLY 'High' and 'Severe' logs that the agent categorizes as 'Alerts' covering the last 30 days.

Image

  • To view all events and logs recorded, simply clear the preset filters. 
  • Selecting 'Show Acknowledged Alerts' will show all alerts "cleared" previously.
  • Selecting 'Include Historical Alerts' will show all alerts collected that match the filter values.

 

Display Options

By clicking on the columns button to the right of the filters search bar, you may customize the information displayed on the alert screen.

Image

  • Hovering to the left of the field will reveal a position slider that can be used to change the column position of the value.
  • Width can be adjusted on all columns.
  • All columns with double arrows have the ability to sort by that field value.

 

Alert Actions 

When selecting an alert, you are given multiple Actions to choose from within the alert.

Image

Respond

To use this Action, you must have an active Respond Policy in your portal.  This will create a Custom Response for the event and will occur each time it is detected by any agent with the policy applied.

Image

  • Host Isolation will issue an Isolation command to any endpoint with the file/ process detected, in the image above, any instance of 'screenconnect.clientservice.exe' would be automatically isolated.
  • Terminate Process will issue a Kill Task command to any endpoint with the file/ process detected, in the image above, any instance of 'screenconnect.clientservice.exe' would be terminated.
  • Host Isolation Restore is not to be used in this policy

 

Acknowledge

Acknowledging an alert simply tells the portal "I have seen this" removes it from your New Alert count, and removes it from your Alert View list.  To see these alerts again, simply select 'Show Acknowledged Alerts'.

 

Create Suppression Rule

Creating a suppression rule will acknowledge the alert, and any future events.  The matching events will still be logged, but only visible when selecting 'Suppressed' from the Severity filter

A general guideline to Rule and Alert suppressions is to utilize as much granularity as possible.

Image

  • Place a check in the box of each field you want to include in the suppression value.
  • Wildcard values are shown on the 'Process Command Line' Value.  All wildcards MUST be placed within the folder, you may not place a wildcard after a folder break.
  • If any values selected are not met with 100% accuracy, an alert will be generated for the event.
  • Suppressions can be placed for Locations, Organizations, or portal wide, in addition to single hosts.

Related Articles

  • Command Line Install Examples
    Read More
  • Aurora/Cylance MDR: Frequently Asked Questions (FAQs)
    Read More
  • MSS FW Best Practices: Security Services
    Read More

Categories

Managed Security Services
Infocyte
not finding your answers?
Ask the Community
Chat