Manage Endpoint Detections
Endpoint Detection enhances the Insight Agent’s capabilities to detect malicious activity on your assets and provides you with visibility into the specific action that triggered the detection.
As a Managed Detection and Response (MDR) customer, you can use this to monitor changes to assets that have the Insight Agent installed.
Upgrade with our Ransomware Prevention add-on
If you would like to be able to automatically take action on threats that have been detected with Endpoint Detection, you require the Ransomware Prevention add-on. Contact your Account Executive for purchasing options.
Group Details
Endpoint Detection requires that all eligible Insight Agents are associated with a detection group. For an initial deployment, all your eligible Insight Agents are automatically placed in a default group.
Assets can only belong to one Detection Group
You can create your own custom detection groups to configure Endpoint Detection, but note that each group has exclusive control of the asset within it. An asset can only be in one detection group at a time, and associating an asset with a new detection group means removing it from its existing group.
Detection Groups can be empty
Detection Groups do not require assets for the group to be created. Creating an empty detection group first allows you to prepare a new detection policy in isolation without affecting your assets and the rest of your Endpoint Detection configuration. You can return to the detection group at a later time and assign assets to it when you’re ready.
Create a detection group
- Go to Administration > Agents > Endpoint Detections Endpoint Detections.
- Click Create Detection Group. A window will prompt you to name and describe your group.
- At this point, you can move on to configure assets within the group and exclusions, or you can elect to finish creating the group and leave configuration for later:
- To continue with the configuration, click Create and Configure.
- To just create the detection group, click Create Group Only.
Detection groups must be empty to be deleted
Detection groups are considered in use as long as the group has at least one agent associated with it. Detection groups with any assets in them are not eligible for deletion. If you decide you no longer require the detection group, you must move all assets to another custom detection group or the default detection group before you can delete the group.
Assets
The assets tab provides a searchable overview of all assets in the default group for your organization, including details on the hostname, host status, operating system, when communication was last received from the asset, and IP address.
Activation Mode
Endpoint Detections can operate in one of two possible activation modes: Detection Only or Inactive. You configure this activation mode on a per-organization basis or per Detection Group:
- Detection Only - Your Insight Agents will monitor your environment for malicious behaviors. When threats are detected, these events will be logged and alerts will still be generated.
- This is the default mode for Endpoint Detection.
- Inactive - This mode pauses all detection engines from running detection rules on assets to troubleshoot your detection groups and Insight Agent configurations.
Inactive Mode
Inactive mode should only be used when absolutely necessary, as it will not create any alerts.
How to switch between activation modes
You can switch between activation modes at any time.
To switch activation mode for the organization:
- Go to Agents > Endpoint Detection > Activation Mode.
- Change your activation mode selection as necessary.
- Click Save Changes to finish.
To switch activation mode for a single detection group:
- Go to Agents > Endpoint Detection and select the detection group you wish to configure.
- Go to Activation Mode.
- Change your activation mode selection as necessary.
- Click Save Changes to finish.
Activation mode for detection groups are affected by your organization-level settings.
When configuring the activation mode, the activation mode set at the organization level defines the upper limit of the detection group level setting. For example, if your organization-level activation mode is set to Detection Only, you will only be able to select Detection Only or Inactive mode for your detection group.
Exclusions
You can create exclusions to reduce alerts generated by legitimate processes or benign behaviors. The Insight Agent will not alert on excluded data.
Exclusion types
While you may want to create some exclusions proactively, you may also need to create them after you receive an alert in InsightIDR about benign activity.
When creating an exclusion proactively, without the context of a given alert, the available exclusion types are Path and Hash. However, when creating an exclusion from an alert you received in InsightIDR, the Insight Platform will provide the applicable exclusion type based on the alert type and associated Detection Engine.
That means not all exclusion types are available for every alert. In addition, in some cases the process that triggered an alert is a container, sensitive, or generic process. The Insight Platform may adjust the applicable exclusion for these processes to give more granular exclusion. This is intended behavior to avoid security exposure.
Criteria you can exclude
You can exclude these types of detectable criteria from the Endpoint Detections:
- SHA256 hash values
- Paths - Allows you to exclude a file path on your assets.
- This exclusion type is useful if your assets run software or services at a specific location and you want to ensure that Endpoint Detections does not impact how these tools operate.
- Certificate - Allows you to exclude a digitally signed process by its certificate details. You can also choose the level at which the process certificate details are identified:
- Publisher - Any executable process signed by the publisher information found in the certificate is excluded.
- Product - Any executable process signed by the publisher and with the product definition found in the certificate will be excluded.
- File name - Any executable process signed by both the publisher and product and file name will be excluded.
- Script - Allows you to exclude a specific script or command that a process is attempting to execute.
- File Access - Allows you to exclude specific directories or files that a process is attempting to reach.
Scope of exclusions
You can apply exclusions to all of the detection groups in your organization or to a selection of detection groups of your choosing. Select a single detection group to apply only to the Insight Agents in that group.
Configure an exclusion
- Go to Administration > Data Collection > Agents > Endpoint Detections > Exclusions.
- Alternatively, click the Data Collection Management icon at the top of the screen, then click Agents > Endpoint Detections > Exclusions.
- Click Create Exclusion.
- Select the operating system.
- Select if this exclusion will apply to all detection groups or a selection of detection groups.
- Select the exclusion type.
- Based on the type you selected, enter a value as prompted by the example shown.
- Give the exclusion a description.
- Click Save when finished.
View existing exclusions
You can view and edit exclusions from the Exclusions tab. The exclusions you create can be viewed under Applied to All or Applied to Selection, depending on how you configured the exclusion. In the Applied to Selection tab, you can expand the exclusion to view which detection groups it has been applied to.
Alternatively, go to Administration > Data Collection > Agents > Endpoint Detection > Detection Groups to view exclusions you have created from the detection group they are applied to.