What are automated response policies?
This article describes the purpose for and function of automated response security policies.
NOTE For detailed information about the Policies page, refer to Working with the Policies page.
Overview
Automated response policies are pre-defined detection rules that can carry out recommended actions in response to a threat on an endpoint. These policies can attempt to kill malicious processes, quarantine suspicious files, or isolate the host from the network, mitigating the scope of an attack and preventing it from spreading to other devices in your environment.
To get started with this feature, refer to Response policy.
FAQ
Datto EDR's automated response policies offer a unique advantage for disrupting threats by combining Content Engineer recommendations with custom actions. The answers to the following frequently-asked questions will help you get the most out of your automated response policies.
When should I apply an automated response policy?
Although it is natural to think automated responses should be applied when you are onboarding new customers, we recommend taking some time to monitor existing behaviors first. A good rule of thumb is implementing automated response policies 30 days after customer onboarding. During this ramp-up time, a typical customer will have triggered the baseline of alerts you'd expect to see in their environment. You will have the time to review these detections and the possible responses before applying policies.
Should I customize the response actions or leverage recommendations?
During the monitoring period, you should review the rules triggered along with the recommendations created by the Datto EDR Content Engineers to determine if the recommendation would disrupt the behavior in a way you are comfortable with. There may be situations where the recommendations can impact the business, and in these cases, you may want to override the recommendations in the policy.
What about suppressed alerts?
Suppressed alerts supersede automated responses. When an alert matches a suppression rule, no automated response actions occur. Suppressing specific, false positive alerts is better than overriding or customizing actions in the automated response policy as those changes apply to a rule and not the exact matched criteria from a suppression.
Should I set my automated response policy as a default policy?
A default policy can be beneficial when supporting endpoints in a known network or from a single business vertical such as retail or manufacturing. This concept is based on the idea you are already aware of all the standard business applications and have created the suppression rules needed to address any applications that may trigger behavioral events. The opposite may apply to MSPs that support customers from multiple business sectors. In this case, it might be better to deploy new organizations without automated response policies so you can monitor the possible outcomes and adjust them before applying changes.
