Learn how to quickly setup and enable your Managed Detection and Response (MDR) service from the Nebula console. We’ll walk you through:
- Our recommendation for your environment
- Updating your Nebula policy settings
- Configuring your Managed Services settings
- Accessing and exploring the Managed Services page
Join an MDR Onboarding Webinar
The ThreatDown team offers bi-weekly onboarding webinars to guide customers through the process of setting up and activating their MDR service.
Learn MoreRecommendation
Make sure the endpoint agent is installed on at least 95% of your devices.
Once you’ve thoroughly deployed the endpoint agent, proceed to Step 1 – Update policy settings.
Resources
If you need assistance with deploying the endpoint agent or configuring Nebula, check out these resources:
Follow the steps below to setup and activate MDR
Step 1 - Update policy settings
First, we’ll update all active policies to maximize protection on your devices. Follow these steps to apply the MDR analysts’ policy recommendations to your endpoints.
- Go to the Configure > Policies page.
- Click on a policy name to edit it.
- Update each active policy assigned to a group according to the steps below.
Protection Settings
- Click on the Protection settings section.
- Scroll down to Additional protection.
- Enable Self-Protection and Device Control for Windows endpoints according to the image below.
Endpoint Detection and Response Settings
- Click on the Endpoint Detection and Response section.
- Enable and configure Suspicious activity monitoring, Flight Recorder Search, and Ransomware rollback for Windows and Mac endpoints according to the image below.
Brute Force protection Settings
- Click on the Brute Force protection section.
- Enable brute force protection and configure the trigger rule for Windows endpoints according to the image below.
Once you’ve updated all your active policies, proceed to Step 2 – Enable MDR.
Step 2 – Enable MDR
On the left navigation, click Managed Services. This is a separate section of Nebula that you’ll use to view your MDR case metrics, communicate with analysts on your cases, and configure MDR settings.
To enable MDR, click the Configurations tab.
MDR Contacts
- Go to the MDR Contacts section.
- Select users with the Super Admin role.
- Enter phone numbers starting with +country code and don’t include dashes or parentheses.
General Data Protection Regulation Requirement
- Go to the General Data Protection Regulation requirement section.
- Select Yes or No based on your company’s GDPR requirement.
Remediation authorization
- Go to the Remediation authorization section.
- Select ThreatDown managed.
Isolation authorization
- Go to the Isolation authorization section.
- Select Yes, authorize.
After enabling MDR, our analysts will monitor your devices for threats. Proceed to Step 3 – Explore MDR Case Activity.
Step 3 – Explore MDR Case Activity
To access your MDR case activity, click on the Overview tab from the Managed Services page.
Overview
The Overview tab offers a quick summary of what’s happening in your environment.
- In the top right, adjust the reporting period as desired.
- Review the following widgets:
- Cases by stage: Provides a general overview of case activity in your environment.
- Cases by priority: Displays the number of cases grouped by their urgency.
- Top case close reasons: Displays the most frequent reasons cases were closed by analysts.
Once you’ve explored the Overview tab, proceed to Step 4 – Manage MDR cases.
Step 4 – Manage MDR Cases
Next, let’s go over MDR cases and how you would review them.
MDR Cases
MDR cases are not the same as support cases.
To begin reviewing your MDR cases, click the Cases tab from the Managed Services page. A MDR case is automatically generated when there is a detection or suspicious activity alert on your endpoints. Multiple alerts are consolidated into a single case if they are similar and occur within a 15-minute period on the same endpoint. This simplifies the analysis of malicious activity.
Click on the ID of a case to view additional details.
Each MDR case contains a wealth of detailed information, but the most important elements are:
- Title: Detection (DE) or Suspicious Activity (SA), followed by the threat or file name identified on the endpoint.
- Case ID: The unique case identifier assigned to a MDR case.
- Communications & History: An audit trail of all activities conducted by an analyst on an MDR case and a means for you to communicate with the analyst.
- Alerts & Artifacts: A page linking you to the various detections and alerts of a case.
Ask questions on a MDR case
If you have a question about an MDR case, follow these instructions to ask our analysts:
- On the left navigation, click Managed Services.
- Click on the Cases tab.
- Questions on an open case.
- Click on a case number.
- Find the message box at the bottom of the case.
- Enter your question.
- Press the send button.
- Follow-up questions on a closed case.
- Click the Submit a Request button.
- Enter a case number.
- Select a priority
- Enter a description.
- Click Save.
- Questions on an open case.
Respond to MDR case notifications
The MDR analysts investigate and handle all your MDR cases so you don’t have to do it yourself. If they determine you need to take action on a MDR case, you’ll receive an email notification.
If you receive an email notification, follow these instructions:
- On the left navigation, click Managed Services.
- Click on the Cases tab.
- Find the MDR case using the case ID displayed in the email notification.
- Click on the Comments button
to filter for comments left by an analyst.
- Perform the actions requested by the analyst.
- Use the message box at the bottom of the page to confirm the actions have been completed or to ask a question.
- Press the send button.
If you need help with your Nebula product, open a support ticket in Nebula instead.
Once you’re familiar with the Managed Services page, proceed to Step 5 – Configure MDR Notifications and Report.
Step 5 - Configure MDR Notifications and Report
Notifications and reports help you stay informed on the real-time and overall threat activity occurring in your environment.
Notifications
A notification is automatically created for MDR contacts you configured back in Step 2 – Enable MDR.
If you need additional personnel to be notified about cases or escalations, follow these steps to create a notification for other recipients:
- In Nebula, go to Configure > Notifications.
- Click New notification.
- Enter a notification name and click Next.
- Select Managed services activity > Case Management and click Next.
- Click Next to skip the Conditions page.
- Select the Email delivery method and enter a Subject.
- Select other Nebula admins or manually enter email addresses and click Next.
- Enable the following fields and click Complete:
- Case ID
- Case Name
- Priority
- Endpoints
- Case Creation Time
Reports
Included with your service is a report showing the actions taken by our MDR analysts in the last 30 days to protect your endpoints. This is set up on the Configure > Reports page.
If you already have a report with MDR Metrics Summary as the Report type, click on the report name to confirm the configuration. If you don’t have a report yet, follow these steps to create one:
- Click New report.
- Enter a report name.
- Select the MDR Metrics Summary Report type.
- Select how often to receive this report:
- On-Demand: Only after clicking Generate on the Configure > Reports page.
- Daily: Every day.
- Weekly: On certain days of the week.
- Monthly: On a specific day of the month.
- Select the time zone to display data.
- Select recipients for the report.
- Enter an email subject line.
- Enter a body message.
- Click Save.