MDR analysts need certain policy settings enabled on your endpoint groups to monitor them. Follow the steps below to update your policies as recommended by MDR analysts:
- Go to Configure > Policies.
- Policies are assigned to groups, and endpoints belong to groups, so endpoints use their group's policy. Click the policy name used by your endpoints.
- Click the Protection settings tab and enable the following:
- Additional protection
- Self-Protection
- Enable Self-Protection Module earlier in the boot process
- Device control
- Automatically scan and quarantine threats when a USB device is inserted: This option does not appear if you block USB devices with the Block access to the device setting.
- Additional protection
- Click the Endpoint Detection and Response settings tab, then enable and configure the following:
- Suspicious activity monitoring and Suspicious activity monitoring on servers (if you have server licenses): MDR analysts cannot monitor your endpoints for suspicious activities without these settings enabled.
- Advanced settings:
- Collect networking events to include in searching
- Enable Event Tracing for Windows
- Advanced settings:
- Ransomware rollback
- Advanced settings:
- Rollback timeframe: 7 days
- Rollback free disk space quota: 30%
- Workstation rollback filesize: 20MB
- Server rollback filesize: 100MB
- Advanced settings:
- Endpoint Isolation
- Allow manual endpoint isolation
- Allow automatic isolation of endpoints when critical suspicious activity is found
- Network isolation
- Process isolation
- Desktop isolation
- Active Response Shell: Allows MDR analysts to execute a remote shell session to analyze the endpoints.
- Suspicious activity monitoring and Suspicious activity monitoring on servers (if you have server licenses): MDR analysts cannot monitor your endpoints for suspicious activities without these settings enabled.
- Click the Brute force protection settings tab, then enable and configure the following:
- Windows and server protocols: RDP Port number can be left blank
- Server protocols: Fill in the port number for each protocol as configured in your environment.
- Repeat these steps for any other policies your endpoints use.