Managed Detection and Response (MDR) must be configured by a Global Administrator before the MDR team can begin to monitor your Nebula site activity in your OneView console. You'll be prompted to configure MDR once you subscribe to the MDR service.
For more information on subscribing, see the following resources:
Note: The MDR team can only monitor endpoints with the Endpoint Detection and Response policy settings enabled. See Recommended policy settings for Managed Detection and Response.
MDR Contacts
When adding this service to a site, the MDR team must know which OneView users to contact when remediation steps are required for detections or suspicious activities. During emergency situations, you may be contacted by phone at any time of the day. Select OneView users and provide phone numbers for primary, backup, and alternate contacts that the MDR team can communicate with.
Note: The save button is grayed out if the following requirements are not met for selecting a contact or entering a phone number.
- The selected OneView user must be a Global Administrator or Site Administrator who has verified their account.
- Examples of valid phone numbers and formats:
- (555) 123-4567
- 555 123 4567
- +447891234500
- +49 30 1234567
- The same phone number cannot be used more than once.
OneView notifications are created for all contacts selected on this page. For more information, see Set up Managed Detection and Response notifications in OneView.
When deleting a OneView user who is a MDR contact from the Settings > Users page, you are prompted to select a new MDR contact.
Remediation authorization
You can choose the level of remediation service provided by the MDR team. Services range from fully managed to notifications only when there is a threat or suspicious activity.
- Managed: The MDR team will remove threats to protect your environment. This does not include rebooting, re-imaging, or other onsite tasks.
- Notification only: The MDR team notifies you of detected threats and provides detailed instructions to perform remediation.
Isolation authorization
Select whether to allow MDR analysts to perform isolation on any endpoints in your environment on your behalf. Once the devices are investigated and cleaned, isolation can be removed, which requires a reboot.
- Yes, authorize isolation: Allow MDR analysts to isolate any endpoint when necessary.
- Yes, but exclude machines in specific group(s): Select this to exclude specific groups of endpoints, such as your critical servers that you don't want isolated on your behalf.
- Do not authorize isolation: MDR analysts are not authorized to isolate any devices.
Update MDR settings
To edit these settings later, follow these steps:
- In OneView, go to Manage > Sites.
- Click on the site.
- In the slideout, click Manage Subscription > Manage Subscription.
- Click Next to go to the Services screen.
- Update the fields as needed.
- Click Next.
- Click Save.
Return to Managed Detection and Response.