"Critical importance" classification for device

RobyFT

Goodmorning , we have a premium EPP subscription and now we are testing EDR with a trial license

Looking at Automated actions → Add rule it shows

where I assign or remove "critical importance" for device?

if this is an automatic classification where I can see how a device is classified for this rule?

I read the documentation fsedr-adminguide_eng.pdf and found istruction for "Changing the importance of monitored hosts" but it refers to functions/sections I cant find in my portal and also the classification listed (server, technical device, non-technical, unknown) are not referring to "critical importance" classification

Thank you

Roberto

Sethu Laks

Hi @RobyFT

Another method, the Device view itself allows for displaying EDR Device classification and also enables the modification of device importance.

The EDR device classification corresponds to the XDR profile of the device with the highest confidence score when receiving events from the XDR events queue. The importance is derived directly from the XDR events queue but can be manually adjusted if necessary.

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™  https://community.withsecure.com/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.withsecure.com%2Fen%2Fhome

Sethu Laks

Hi @RobyFT

Thank you for reaching out to the WithSecure Commmunity,

To manually change the importance of monitored hosts, follow these instructions:

1. Go to the Environment > Devices view of the customer organization that you want to edit.
2. In the View menu, select EDR status.
The EDR Device classification column shows how WithSecure Elements Endpoint Detection and
Response has classified the host and the Device Importance column shows the importance you have
assigned to the host.
3. Select the host that you want to edit by selecting its name.
4. Select Update importance.
5. Select the new status for the selected hosts from the pull-down menu.
6. Select Update.

Reference:

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™ https://www.withsecure.com/en/home

RobyFT

Thanks for info

anyway this ok for device with "EPP+EDR computer", i'm testing also "EPP+EDR server", and in this case I dont have "EDR status" section. I still have option to change importance, but cant see how is currently classified. Is that info placed in another section? Or all server have automatically the "critical" classification? Thanks again.

Best regards Roberto

RobyFT

Thank you for clarification, just what I need.

Roberto