Learn how to quickly setup and enable your Managed Detection and Response (MDR) service from the Nebula console. We’ll walk you through:

  •  Our recommendation for your environment
  •  Updating your Nebula policy settings
  •  Configuring your Managed Services settings
  •  Accessing and exploring the Managed Services page

Join an MDR Onboarding Webinar

The ThreatDown team offers bi-weekly onboarding webinars to guide customers through the process of setting up and activating their MDR service.

Learn More  

Recommendation

If you have a new Nebula account with MDR, skip to Step 2 - Enable MDR.

Otherwise, ensure the endpoint agent is installed on at least 95% of your devices.

Once you’ve thoroughly deployed the endpoint agent, proceed to Step 1 – Update policy settings.

Resources

If you need assistance with deploying the endpoint agent or configuring Nebula, check out these resources:

Follow the steps below to setup and activate MDR

Step 1 - Update policy settings

First, we’ll update all active policies to maximize protection on your devices. Follow these steps to apply the MDR analysts’ policy recommendations to your endpoints. 

  1. Go to the Configure > Policies page.
  2. Click on a policy name to edit it.
  3. Update each active policy assigned to a group according to the steps below.

Protection Settings

  1. Click on the Protection settings section.
  2. Scroll down to Additional protection.
  3. Enable Self-Protection and Device Control for Windows endpoints according to the image below.
protection-settings.png

Endpoint Detection and Response Settings

  1. Click on the Endpoint Detection and Response section.
  2. Enable and configure Suspicious activity monitoring, Flight Recorder Search, Ransomware rollback, and Active Response Shell for Windows, Mac and Linux endpoints according to the image below. Include Suspicious activity monitoring for servers if applicable. 

    EDR_update.png
  3. If you plan to allow MDR analysts to isolate your endpoints, enable Endpoint Isolation for WIndows, Mac and Linux endpoints according to the image below.

    EDR - 2.png

Brute Force protection Settings

  1. Click on the Brute Force protection section.
  2. Enable brute force protection and configure the trigger rule for Windows endpoints according to the image below.
bfp-settings.png

Once you’ve updated all your active policies, proceed to Step 2 – Enable MDR.

Step 2 – Enable MDR

If you have a new Nebula account, you're required to configure MDR immediately after logging in.

For other accounts, click Managed Services on the left menu. This is a separate section of Nebula that you’ll use to view your MDR case metrics, communicate with analysts on your cases, and configure MDR settings. A pop-up displays on this page to configure the MDR settings. 

mdr-overview.gif

MDR Contacts

  1. In the MDR Contacts section, select users with the Super Admin role.
  2. Enter phone numbers.

Remediation authorization

  1. Go to the Remediation authorization section.
  2. Select ThreatDown managed.

Isolation authorization

  1. Go to the Isolation authorization section.
  2. Select Yes, authorize isolation.
    Note: If there are specific endpoints you don't want MDR analysts to isolate, select Yes, but exclude machines in specific group(s) and select the groups. This option is not available for new accounts since there are no other groups in your environment. You can revisit this section under Managed Services > Edit Configurations to exclude groups once you've created more groups in Nebula.
  3. Click Save Configurations.

Note: Endpoint isolation must be enabled in the policy setting.

After enabling MDR, our analysts will monitor your devices for threats. Proceed to Step 3 – Explore MDR Case Activity.

Step 3 – Explore MDR Case Activity

To access your MDR case activity, click on the Overview tab from the Managed Services page.

Overview

The Overview tab offers a quick summary of what’s happening in your environment.

  1. In the top right, adjust the reporting period as desired.

    Filter_button.png
  2. Review the following widgets:
    • Cases by stage: Provides a general overview of case activity in your environment.
    • Cases by priority: Displays the number of cases grouped by their urgency.
    • Top case close reasons: Displays the most frequent reasons cases were closed by analysts.
mdr-case-dashboard.gif

Once you’ve explored the Overview tab, proceed to Step 4 – Manage MDR cases.

Step 4 – Manage MDR Cases

Next, let’s go over MDR cases and how you would review them.

MDR Cases

MDR cases are not the same as support cases.

To begin reviewing your MDR cases, click the Cases tab from the Managed Services page. A MDR case is automatically generated when there is a detection or suspicious activity alert on your endpoints. Multiple alerts are consolidated into a single case if they are similar and occur within a 15-minute period on the same endpoint. This simplifies the analysis of malicious activity.

Click on the ID of a case to view additional details.

mdr-case.gif

Each MDR case contains a wealth of detailed information, but the most important elements are:

  1. Title: Detection (DE) or Suspicious Activity (SA), followed by the threat or file name identified on the endpoint.
  2. Case ID: The unique case identifier assigned to a MDR case.
  3. Communications & History: An audit trail of all activities conducted by an analyst on an MDR case and a means for you to communicate with the analyst.
  4. Alerts & Artifacts: A page linking you to the various detections and alerts of a case.

Ask questions on a MDR case

If you have a question about an MDR case, follow these instructions to ask our analysts:

  1. On the left navigation, click Managed Services.
  2. Click on the Cases tab.
    • Questions on an open case.
      1. Click on a case number.
      2. Find the message box at the bottom of the case.
      3. Enter your question.
      4. Press the send button. Send_button.png
    • Follow-up questions on a closed case.
      1. Click the Submit a Request button.
      2. Optionally, enter a case number of the case.
      3. Select a priority
      4. Enter a description.
      5. Click Save.

Respond to MDR case notifications

The MDR analysts investigate and handle all your MDR cases so you don’t have to do it yourself. If they determine you need to take action on a MDR case, you’ll receive an email notification.

If you receive an email notification, follow these instructions:

  1. On the left navigation, click Managed Services.
  2. Click on the Cases tab.
  3. Find the MDR case using the case ID displayed in the email notification.
  4. Click on the Comments button Comment_button.png to filter for comments left by an analyst.
  5. Perform the actions requested by the analyst.
  6. Use the message box at the bottom of the page to confirm the actions have been completed or to ask a question.
  7. Press the send button. Send_button.png

If you need help with your Nebula product, open a support ticket in Nebula instead. 

Once you’re familiar with the Managed Services page, proceed to Step 5 – Configure MDR Notifications and Report.

Step 5 - Configure MDR Notifications and Report

Notifications and reports help you stay informed on the real-time and overall threat activity occurring in your environment.

Notifications

A notification is automatically created for MDR contacts you configured back in Step 2 – Enable MDR.

If you need additional personnel to be notified about cases or escalations, follow these steps to create a notification for other recipients:

  1. In Nebula, go to Configure > Notifications.
  2. Click New notification.
  3. Enter a notification name and click Next.
  4. Select Managed services activity > Case Management and click Next.
  5. Click Next to skip the Conditions page.
  6. Select the Email delivery method and enter a Subject.
  7. Select other Nebula admins or manually enter email addresses and click Next.
  8. Enable the following fields and click Complete:
    1. Case ID
    2. Case Name
    3. Priority
    4. Endpoints
    5. Case Creation Time

Reports

Included with your service is a report showing the actions taken by our MDR analysts in the last 30 days to protect your endpoints. This is set up on the Configure > Reports page.

If you already have a report with MDR Metrics Summary as the Report type, click on the report name to confirm the configuration. If you don’t have a report yet, follow these steps to create one:

  1. Click New report.
  2. Enter a report name.
  3. Select the MDR Metrics Summary Report type.
  4. Select how often to receive this report:
    • On-Demand: Only after clicking Generate on the Configure > Reports page.
    • Daily: Every day.
    • Weekly: On certain days of the week.
    • Monthly: On a specific day of the month.
  5. Select the time zone to display data.
  6. Select recipients for the report.
  7. Enter an email subject line.
  8. Enter a body message.
  9. Click Save.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more