This Guardz MDR Beta guide will walk you through the process of activating and configuring the Automated Detection & Response feature within the Guardz platform.
Activation
Go to Security Controls > Automated Detection & Response
Select "Activate" & grant the relevant permissions
This step must be done per organization with admin credentials.
Use the customer toggle in the top bar to select the orgs.
Configure your "Response Preferences" and "Communication Preferences."
These preferences can be set on a Global level and applied across all organizations.
Settings
Response Preferences:
These settings define actions such as suspending users or isolating devices and whether they should be automated or require manual authorization.
Communication Preferences:
These settings define how you and your team should be contacted during a confirmed security event.
Incident Management
What is an Incident?
Incidents are a consolidated view of security events that happen within a defined timeframe. These incidents combine multiple detections of potential security threats. For instance, a "Potential Account Compromise" could result from various triggers, such as:
Missing MFA requirements
Leaked credentials
Suspicious login activities
Phishing emails
Malicious mailbox rule changes
Where are incidents found?
Incidents are found on the same page as other issues and detections, but grouped at the top of the page: Detection & Response > "Incidents"
How to understand an incident?
Incident Review: Once an incident is validated, response actions may be automatically initiated, recommended to the admin and/or be communicated directly through outreach.
Incident Timeline: Provides context of what happened (detections & response), when they happened (date & timestamp) and more details (issue drawer).
Incident Report: The pdf report can be downloaded on demand and contains an overview of all related events.
Incident Playbook: The playbook offers some additional steps that can be taken as part of incident response.
Incident Closure: Admins have the authority to manually close incidents after verification that the threat has been neutralized or deemed non-critical.
Demo Incident
A Demo Incident will be visible in your demo customer account (or across all customers) under the Detections & Response page. This demo incident showcases how Guardz MDR handles real-time security threats.
No Action Required: You are not required to take any action or close the demo incident, but if you do so, we can reset the demo data upon request.
Accessing Demo Data: If the demo account is not visible, navigate to the customer page (top right, next to the “New” button) and toggle the “Demo Data” option to activate the demo incident view.
For any questions or feedback, feel free to reach out to our team.