Skip to main content

Auto Alert Remediation

  • Updated

Currently available only for SentinelOne, CrowdStrike, and Microsoft Dender for Endpoints integrations (more to come!).

To configure auto-remediation, please contact us at support@intezer.com.

 

Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.

 

How does it work?

What type of alerts are auto-remediated?

How will I know that an alert was auto-remediated by Intezer?

How to get started?

 

How does it work?

Any alert that EDR deems to be risky or malicious but Intezer issues a “Trusted” verdict after deeper analysis is considered a “false positive” by Intezer.

 

All false positive alerts that fall into your pre-configured types (see the section below) are then auto-remediated by Intezer. For these alerts, Intezer does the following:

  • For SentinelOne - changes the initial Analyst Verdict of the alert to “False Positive” and updates the Incident Status to “Resolved”.
  • For CrowdStrike - changes the initial Detection Status to “False Positive”.
  • For Microsoft Defender for Endpoints - changed the alert status to "Resolved".

 

What type of alerts are auto-remediated?

Based on a pre-defined configuration, you select the alert classifications that you would like to apply auto-remediation. At the bottom of this page, you can see a full list of SentinelOne classifications. We recommend starting with low-severity classifications such as “PUA” and “Adware”

 

How will I know that an alert was auto-remediated by Intezer?

  • SentinelOne
    A note will be added to the alert in your S1 console: 
    mceclip1.png
  • CrowdStrike
    A comment will be added to the detection in your CS console:
    Screen_Shot_2022-11-23_at_16.19.32.png

How to get started?

Here’s how to get started with auto-remediating false positive alerts:

  1. Ensure that your integration user has the right permissions
    • SentinelOne
      Threats:

      • Threats update analyst verdict

      • Threats update incident status

    • CrowdStrike
      Detections: Read and Write
  2. Contact us at support@intezer.com with the classifications you would like to auto-remediate. We recommend starting with low-severity classifications such as “PUA” and “Adware.” In the future, this configuration will be accessible via your Intezer dashboard.

SentinelOne classifications that can be configured:

  • Low severity
    PUA (Potentially Unwanted Application), Adware, Packed, Toolbar, Application Control, Benign

  • Medium severity
    Malware, Linux.Malware, Generic.Heuristic, Hacktool, Spyware, Virus, Cryptominer, Miner, Phishing, Malicious Office Document

  • High severity
    Infostealer, Exploit, Trojan, Worm, Interactive shell, Dropper, Downloader

  • Critical severity
    Ransomware, Backdoor, Rootkit

CrowdStrike classifications that can be configured:

  1. Informational
  2. Low
  3. Medium
  4. High
  5. Critical

 

Example of a False Positive Alert:

SentinelOne
S1_auto_remedate.png

CrowdStrike

Screen_Shot_2022-11-23_at_16.32.08.png

Return to top