To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

"Critical importance" classification for device

Options
RobyFT
RobyFT W/ Member Posts: 3 Security Scout

Goodmorning , we have a premium EPP subscription and now we are testing EDR with a trial license

Looking at Automated actions → Add rule it shows

where I assign or remove "critical importance" for device?

if this is an automatic classification where I can see how a device is classified for this rule?

I read the documentation fsedr-adminguide_eng.pdf and found istruction for "Changing the importance of monitored hosts" but it refers to functions/sections I cant find in my portal and also the classification listed (server, technical device, non-technical, unknown) are not referring to "critical importance" classification

Thank you

Roberto

Best Answer

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    Solved
    Options

    Hi @RobyFT

    Another method, the Device view itself allows for displaying EDR Device classification and also enables the modification of device importance.

    The EDR device classification corresponds to the XDR profile of the device with the highest confidence score when receiving events from the XDR events queue. The importance is derived directly from the XDR events queue but can be manually adjusted if necessary.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™  https://community.withsecure.com/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.withsecure.com%2Fen%2Fhome

Answers

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    Options

    Hi @RobyFT

    Thank you for reaching out to the WithSecure Commmunity,

    To manually change the importance of monitored hosts, follow these instructions:

    1. Go to the Environment > Devices view of the customer organization that you want to edit.
    2. In the View menu, select EDR status.
    The EDR Device classification column shows how WithSecure Elements Endpoint Detection and
    Response has classified the host and the Device Importance column shows the importance you have
    assigned to the host.
    3. Select the host that you want to edit by selecting its name.
    4. Select Update importance.
    5. Select the new status for the selected hosts from the pull-down menu.
    6. Select Update.

    Reference:

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

  • RobyFT
    RobyFT W/ Member Posts: 3 Security Scout
    Options

    Thanks for info

    anyway this ok for device with "EPP+EDR computer", i'm testing also "EPP+EDR server", and in this case I dont have "EDR status" section. I still have option to change importance, but cant see how is currently classified. Is that info placed in another section? Or all server have automatically the "critical" classification? Thanks again.

    Best regards Roberto

  • RobyFT
    RobyFT W/ Member Posts: 3 Security Scout
    Options

    Thank you for clarification, just what I need.

    Roberto