Currently available only for both SentinelOne and CrowdStrike integrations (more to come!).
To configure auto-remediation, please contact us at email@example.com.
Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.
How does it work?
Any alert that EDR deems to be risky or malicious but Intezer issues a “Trusted” verdict after deeper analysis is considered a “false positive” by Intezer.
All false positive alerts that fall into your pre-configured types (see the section below) are then auto-remediated by Intezer. For these alerts, Intezer does the following:
- For SentinelOne - changes the initial Analyst Verdict of the alert to “False Positive” and updates the Incident Status to “Resolved”.
- For CrowdStrike - changes the initial Detection Status to “False Positive”.
What type of alerts are auto-remediated?
Based on a pre-defined configuration, you select the alert classifications that you would like to apply auto-remediation. At the bottom of this page, you can see a full list of SentinelOne classifications. We recommend starting with low-severity classifications such as “PUA” and “Adware”.
How will I know that an alert was auto-remediated by Intezer?
A note will be added to the alert in your S1 console:
A comment will be added to the detection in your CS console:
How to get started?
Here’s how to get started with auto-remediating false positive alerts:
- Ensure that your integration user has the right permissions
Threats update analyst verdict
Threats update incident status
Detections: Read and Write
- Contact us at firstname.lastname@example.org with the classifications you would like to auto-remediate. We recommend starting with low-severity classifications such as “PUA” and “Adware.” In the future, this configuration will be accessible via your Intezer dashboard.
SentinelOne classifications that can be configured:
- PUA (Potentially Unwanted Application)
- Application Control
- Interactive shell
CrowdStrike classifications that can be configured:
Example of a False Positive Alert: