This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Lake Detections EDR - request ability to flag as acknowledged

Hi,

We got our first detections. As we're working with central as a team from different locations, it would be cool if we can flag such a detection as acknowledged the same way as we can to for the normal threat detections (OK, just learned you've renamed them to "Threat Graphs" recently).

Currently, multiple admins are doing the same checks and searches for that detections even if an other admin has already finished all analysis.

In this case our life cycle management tool performed a "vssadmin delete shadows /for=c: /ALL /quiet" on both computers.

So I expect this events will fill up the list soon.



This thread was automatically locked due to age.
Parents
  • Hi Larry, this is something we are looking at.  In the shorter term, in December we'll be adding our new Investigation capability which will allow admins to create cases based on interesting Detections and enables admins to collaborate more efficiently and share details on investigations that can include multiple, separate detections.  Investigations will automatically get created for high priority Detections or any Detections you manually want to create a case.  Investigations can then be closed/deleted so that you don't have this issue.  Stay tuned for some upcoming demos on the new Investigations functionality.

  • A few other things to note, when Investigations are created you can assign the admins you want to investigations. New detections on a device will auto group into an existing Investigation and the investigations will support notes and a status for managing.

Reply Children
No Data