Issue:
Normally, the alert notification email from EDR will be sent when a detection with he risk level at "Severe", "High" and "Medium" has been added to the portal, but is it possible to configure the alert email that ONLY will be notified when "Severe" or "high" risk level has happened? Is it possible to filter the email alerts coming from EDR? I don't want to get a lot of low risk alert emails, but only medium and higher. Or only higher or severe etc.
Resolution:
From the Management > Organization Settings > Detection and Reponse settings tab, it is not possible to edit which classification EDR detections would send emails.
In this case, you have to use this workaround to generate an email report that only goes when there is High or Severe level detection:
- Log in to the Elements portal
- Go to Events > Security Events
- Apply these two filters:
- Source Equals EDR
- Severity Equals Action needed
- Open the view menu on the top right corner and select "Save as" at the bottom of the menu
- Give the view a descriptive name and save it
- Go to Reports > Email notification and report
- Click Add email report
- Give it a name you want to see in your email subject
- For Data source select Security Events
- For template select the view you previously created
- Configure schedule and recipient (continuous will send email every even 10 minutes if a new event has appeared)
- Leave the Send only when report has content toggle enabled
- Click Save
This report report is sent whenever High or Severe level detection appears on that Security Events page. Unfortunately, it is not possible to choose to send emails only about Severe level detections, because on the Security Events page that Severity equals Action needed filter includes both High and Severe level detections.
We will be improving those reporting and email features this year, but there is no specific estimate at this time.
Here you need to note that if you are trying to send a test report from that new report using the Send test report button, remember to first temporarily disable Send only when report has content, because if there is no content in the report, the test report will not be sent either.
Here is an in more detail explanation why the test report is not being sent: https://community.withsecure.com/en/kb/articles/31416-no-test-report-sent-when-security-events-source-is-used-for-elements-email-notification-and-report
Article no: 000029932