-
WithSecure and the MITRE “Turla” results
Background Information WithSecure participated in the 2023 MITRE ATT&CK Evaluation (“Turla”). This was the fifth time we have taken part in the evaluations, run annually by MITRE. MITRE Turla evaluation results can be found here What is MITRE Turla From MITRE: “Turla is a Russian-based threat group that has infected…
-
Upcoming release for the new Broad Context Detection (BCD) details view
UPDATE: The new view will be available in production from Monday 25th September. The exact time is not yet known. The new Broad Context Detection (BCD) details view is being fully released in production during September and will become the new default view, and replaces the old Broad Context Detection details view. We will…
-
Changes in EDR Automated responses
UPDATE: This change has now been released to production, and is now available for all customers! The Automated Response view is being revamped! It is being replaced by a new view called ‘Automated Actions’. The functionality stays the same and you can still configure ‘Device isolation’ rules that run 24/7 and specify the…
-
Improvements in Broad Context Detection handling
Recently we have added new functionality to reduce noise and also increase the speed of processing new Broad Context Detections (BCD). Now an automated suppression mechanism will activate if any detection part of a BCD earlier closed as false positive repeats more than 4 days within a 30 days period, or repeats more than 5…
-
How to activate WithSecure Elements Endpoint Detection and Response when using Policy Manager?
Issue: How can I activate Elements Endpoint Detection and Response for Client Security or Server Security using Policy Manager? Resolution: The endpoint sensors are lightweight, discreet sensors, which are included in Client Security 14.xx and Server Security 14.xx and above and newer. These sensors collect behavioural…
-
Why is the Isolate device button missing from the device's information page in the Elements Endpoint Detection and Response portal ?
Issue: Why is the Isolate device button missing from the device's information page in the Elements Endpoint Detection and Response portal ? Resolution: The Isolate device function in the Endpoint Detection and Response Portal is only available for EDR for Computers and for Servers host devices, which have the Elements…
-
Endpoint Detection and Response (EDR) sensor in Business Suite Client Security or Server Security is unable to connect to the backend
Issue: Endpoint Detection and Response (RDR) sensor in Business Suite Client Security or Server Security is unable to connect to the backend. User interface shows "Sensor is not activated" status and the device is not visible in the EDR Portal. Resolution: WithSecure recommends to add the following scope to whitelisted…
-
Elements Endpoint Detection and Response (EDR) execution start and detection date / time mismatch
Issue: There is a date / time mismatch between the Elements Endpoint Detection and Response (EDR) execution start and the detection. How is that possible? Resolution: The host needs to be turned ON and have an active internet connection for the host to upload the detection information to the EDR portal. If the host goes to…
-
How to remove a device from the Elements Endpoint Detection and Response portal?
Issue: I have uninstalled the sensor, how to remove the device from the Elements Endpoint Detection and Response portal? Resolution: The devices cannot be manually removed from the Elements Endpoint Detection and Response portal. Inactive devices will remain in the Elements Endpoint Detection and Response (EDR) portal…
-
WithSecure Elements Endpoint Detection and Response sensor installation failed and does not activate on Ubuntu without auditd package
Issue: WithSecure Elements Endpoint Detection and Response (EDR) sensor does not activate on Ubuntu. The state appears as "Waiting for connection" in the Elements Endpoint Protection portal and the Elements Endpoint Detection and Response portal. Resolution: Elements Endpoint Detection and Response functionality requires…