Endpoint Alerts

Tony_Graham — Tue, 02 May 2023 16:08:36 GMT

So I have a real beef with Endpoint alerts. Presently looking in the Infinity Portal I can set alerts

based on a number of criteria. One such criteria is 'The computer is infected.'

Now for configuration of this alert I can set 'Trigger alert when the condition affects' with a setting

to set the number of infected devices to trigger an alert. Unfortunately the minimum setting is 10.

Now I don't know about you but I want to know immediately if someone is infected.

Worse, I have 10 employees so what you are really saying is, 'Ah it's okay there's only 10 infections...

Hmmm, it's our entire organization.

Now I can set it using percentage 10% which would be 1, but it's a very odd choice to stop at 10 devices.

Re: Endpoint Alerts

Chris_Atkinson — Wed, 03 May 2023 12:17:40 GMT

Hi Tony,

Would recommend further exploring the Threat Hunting queries, which you can bookmark and set notifications for.

Example:

Login to Infinity Portal, navigate to Harmony Endpoint and the Threat Hunting section.
In the search/query area, change Process to Detection Event.
Click on the Plus icon and add:
a. Detection: Attack Status = Exists
b. Detection: Triggered By IS Endpoint Anti-Ransomware
Click on the “Star” icon to bookmark the query for repeat/future use.
Fill in the details of Name and Importance and place a check mark in the “Send Email Notification” box.
Note the tag name will allow grouping of bookmarks within the menu section. This is optional.
By default alert notifications are sent every hour, on the hour. Shortly after the top of the hour, the admins of the portal should get an email alert based on the query bookmarked.
To check/review the notification settings click the three dot icon next to the query bar and navigate to notifications.