A Super Admin must configure Managed Detection and Response (MDR) before the MDR team can monitor your Nebula console.
Note: The MDR team can only monitor endpoints with the Endpoint Detection and Response policy settings enabled. See ThreatDown recommended policy for Nebula.
New accounts require the initial admin to complete a setup wizard before they can access the rest of the Nebula pages. The next two admins invited by the first user are prompted to update and verify the MDR settings at login.
Existing customers who add MDR to their subscription or upgrade their bundles can go to the Managed Services page in Nebula and a pop-up displays prompting admins to configure MDR.
At any time, an admin can go to Managed Services > Edit Configurations to update their MDR settings.
MDR Contacts
The MDR team needs Nebula Super Admins to contact when remediation steps are required for a detection or suspicious activity. During emergencies, you may be contacted by phone at any time of the day. Select Super Admins and provide phone numbers for primary, backup, and alternate contacts the MDR team can reach.
Note: The save button is grayed out if the following requirements are not met for selecting a contact or entering a phone number.
- The selected Nebula user must be a Super Admin who has verified their account.
- Examples of valid phone numbers and formats:
- (555) 123-4567
- 555 123 4567
- +447891234500
- +49 30 1234567
- The same phone number cannot be used more than once.
Nebula notifications are created for all contacts selected on this page. For more information, see Set up Managed Detection and Response notifications in Nebula.
When deleting a Super Admin who is an MDR contact from the Settings > Users page, you are prompted to select a new MDR contact.
Remediation authorization
You can choose the level of remediation service provided by the MDR team.
- ThreatDown managed: The MDR team will remove threats to protect your environment. This does not include rebooting, re-imaging, or other onsite tasks.
- Guided Remediation: The MDR team notifies you of detected threats and provides detailed instructions to perform remediation.
Isolation authorization
Select whether to allow MDR analysts to perform isolation on any endpoints in your environment on your behalf. Once the devices are investigated and cleaned, isolation can be removed, which requires a reboot.
- Yes, authorize isolation: Allow MDR analysts to isolate any endpoint when necessary.
- Yes, but exclude machines in specific group(s): Select this to exclude specific groups of endpoints, such as your critical servers that you don't want isolated on your behalf. This option is only available from the Edit Configurations window, since new accounts don't have endpoints split into separate groups yet.
- Do not authorize isolation: MDR analysts are not authorized to isolate any devices.