Currently available only for SentinelOne, CrowdStrike, and Microsoft Dender for Endpoints integrations (more to come!).
To configure auto-remediation, please contact us at firstname.lastname@example.org.
Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.
How does it work?
Any alert that EDR deems to be risky or malicious but Intezer issues a “Trusted” verdict after deeper analysis is considered a “false positive” by Intezer.
All false positive alerts that fall into your pre-configured types (see the section below) are then auto-remediated by Intezer. For these alerts, Intezer does the following:
- For SentinelOne - changes the initial Analyst Verdict of the alert to “False Positive” and updates the Incident Status to “Resolved”.
- For CrowdStrike - changes the initial Detection Status to “False Positive”.
- For Microsoft Defender for Endpoints - changed the alert status to "Resolved".
What type of alerts are auto-remediated?
Based on a pre-defined configuration, you select the alert classifications that you would like to apply auto-remediation. At the bottom of this page, you can see a full list of SentinelOne classifications. We recommend starting with low-severity classifications such as “PUA” and “Adware”.
How will I know that an alert was auto-remediated by Intezer?
A note will be added to the alert in your S1 console:
A comment will be added to the detection in your CS console:
How to get started?
Here’s how to get started with auto-remediating false positive alerts:
- Ensure that your integration user has the right permissions
Threats update analyst verdict
Threats update incident status
Detections: Read and Write
- Contact us at email@example.com with the classifications you would like to auto-remediate. We recommend starting with low-severity classifications such as “PUA” and “Adware.” In the future, this configuration will be accessible via your Intezer dashboard.
SentinelOne classifications that can be configured:
- Low severity
PUA (Potentially Unwanted Application), Adware, Packed, Toolbar, Application Control, Benign
- Medium severity
Malware, Linux.Malware, Generic.Heuristic, Hacktool, Spyware, Virus, Cryptominer, Miner, Phishing, Malicious Office Document
- High severity
Infostealer, Exploit, Trojan, Worm, Interactive shell, Dropper, Downloader
- Critical severity
Ransomware, Backdoor, Rootkit
CrowdStrike classifications that can be configured:
Example of a False Positive Alert: