Learn how to quickly setup and enable your Managed Threat Hunting (MTH) service from the Nebula console. We’ll walk you through:

  •  Our recommendations for your environment
  •  Updating your Nebula policy settings
  •  Configuring your Managed Services settings
  •  Accessing and exploring the Managed Services page

Join an MTH Onboarding Webinar

The ThreatDown team offers bi-weekly onboarding webinars to guide customers through the process of setting up and activating their MTH service.

Learn More  

Recommendation

Make sure your the endpoint agent is installed on at least 95% of your devices.

Once you’ve thoroughly deployed the endpoint agent, proceed to Step 1 – Update policy settings.

 Resources

If you need assistance with deploying the endpoint agent or configuring Nebula, check out these resources:

Follow the steps below to setup and activate MTH

Step 1 - Update policy settings

First, we’ll update all active policies to maximize protection on your devices. Follow these steps to apply the MTH analysts’ policy recommendations to your endpoints.

  1. Go to the Configure > Policies page.
  2. Click on a policy name to edit it.
  3. Update each active policy assigned to a group according to the steps below.

Protection Settings

  1. Click on the Protection settings section.
  2. Scroll down to Additional protection.
  3. Enable Self-Protection and Device Control for Windows endpoints according to the image below.
protection-settings.png
Related Resource

Endpoint Detection and Response Settings

  1. Click on the Endpoint Detection and Response section.
  2. Enable and configure Suspicious activity monitoring, Flight Recorder Search, and Ransomware rollback for Windows and Mac endpoints according to the image below.
edr-updated.png
Related Resource

Brute Force protection Settings

  1. Click on the Brute Force protection section.
  2. Enable brute force protection and configure the trigger rule for Windows endpoints according to the image below.
bfp-settings.png
Related Resource

Once you’ve updated all your active policies, proceed to Step 2 – Enable MTH.

Step 2 – Enable MTH

On the left navigation, click Managed Services. This is a separate section of Nebula that you’ll use to view your MTH case metrics, read analyst comments, and configure MTH settings.

To enable MTH, click the Configurations tab.

nebula-mth-dash-1.gif

MTH Contacts

  1. Go to the MTH Contacts section.
  2. Select users with the Super Admin role.
mth_contacts.png

After enabling MTH, our analysts will monitor your devices for threats. Proceed to Step 3 – Explore MTH Case Activity.

Step 3 – Explore MTH Case Activity

To access your MTH case activity, click on the Overview tab from the Managed Services page.

Overview

The Overview tab offers a quick summary of what’s happening in your environment.

  1. In the top right, adjust the reporting period as desired.
    Filter_button.png
  2. Review the following widgets:
    • Cases by stage: Provides a general overview of case activity in your environment.
    • Cases by priority: Displays the number of cases grouped by their urgency.
    • Top case close reasons: Displays the most frequent reasons cases were closed by analysts.
mdr-overview-neb.gif

Once you’ve explored the Overview tab, proceed to Step 4 – Manage MTH cases.

Step 4 – Manage MTH Cases

Next, let’s go over MTH cases and how you would review them.

MTH Cases

 

MTH cases are not the same as support cases.

To begin reviewing your MTH cases, click the Cases tab from the Managed Services page. A MTH case is automatically generated when there is a detection or suspicious activity alert on your endpoints. Multiple alerts are consolidated into a single case if they are similar and occur within a 15-minute period on the same endpoint. This simplifies the analysis of malicious activity.

Click on the ID of a case to view additional details.

mth-cases-new.gif

Each MTH case contains a wealth of detailed information, but the most important elements are:

  1. Title: Detection (DE) or Suspicious Activity (SA), followed by the threat or file name identified on the endpoint.
  2. Case ID: The unique case identifier assigned to a MTH case.
  3. Communications & History: An audit trail of all activities conducted by an analyst on an MTH case and a means for you to communicate with the analyst.
  4. Alerts & Artifacts: A page linking you to the various detections and alerts of a case.

Respond to MTH case notifications

The MTH analysts investigate and handle all your MTH cases so you don’t have to do it yourself. If they determine you need to take action on a MTH case, you’ll receive an email notification.

If you receive an email notification, follow these instructions:

  1. On the left navigation, click Managed Services.
  2. Click on the Cases tab.
  3. Find the MTH case using the case ID displayed in the email notification.
  4. Click on the Comments button Comment_button.png to filter for comments left by an analyst.
  5. Perform the actions requested by the analyst.

Ask questions on an MTH case

If you have a question about an MTH case, follow these instructions to ask our analysts:

  1. On the left navigation, click Support.
  2. Click New support ticket.
  3. Fill out the Subject and Description.
  4. Select the issue I have a product issue or request > I have an MDR-related question/issue.
  5. Select the product Nebula > Modules & Services > Managed Threat Hunting.
  6. Click Save

If you need help with your Nebula product, select the appropriate issue and product instead. 

Once you’re familiar with the Managed Services page, proceed to Step 5 – Configure MTH Notifications.

Step 5 - Configure MTH Notifications

Notifications help you stay informed on the real-time and overall threat activity occurring in your environment.

Notifications

A notification is automatically created for MTH contacts you configured back in Step 2 – Enable MTH.

If you need additional personnel to be notified about cases or escalations, follow these steps to create a notification for other recipients:

  1. In Nebula, go to Configure > Notifications.
  2. Click New notification.
  3. Enter a notification name and click Next.
  4. Select Managed services activity > Case Management and click Next.
  5. Click Next to skip the Conditions page.
  6. Select the Email delivery method and enter a Subject.
  7. Select other Nebula admins or manually enter email addresses and click Next.
  8. Enable the following fields and click Complete:
    1. Case ID
    2. Case Name
    3. Priority
    4. Endpoints
    5. Case Creation Time
Related Resource

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more