Free Download

Knowledge Base

Back to support overview

Managed Threat Hunting (MTH) powered by ThreatDown is a cloud-based service designed to detect potential attacks correlated with threat intelligence, automated and orchestrated responses, and an indicator of compromise summary and escalation via a team of security personnel.

This article applies to all MTH customers.

Features of Managed Threat Hunting

  • 24x7x365 Malwarebytes Endpoint Detection and Response (EDR) active threat hunting and remediation guidance.
  • Trained security personnel with backgrounds serving customers of various sizes and verticals.
  • Back-end artificial intelligence and machine learning supported by a proprietary analytics engine.
  • Cloud-based, proprietary back-end platform with integrated intelligence sources.
  • 31-day lookback of critical indicators of compromise (IoCs).
  • Incidents are discreetly raised by the Nebula® ThreatDown portal.
  • Customer-driven tiered notifications based on incident severity.

First steps

TeamViewer will confirm via a pop-up once the service is activated in your account. Select the Setup MTH button to proceed to the initial setup.

Set up the primary, backup, and alternate contacts on the next screen. Select the primary contact drop-down menu and select the desired member of your company profile. If not automatically entered, insert this contact's primary phone number.

Note: Only the primary contact is required. Backup and Alternate contacts can be added if needed.

Once completed, click Save in the upper right corner of the screen. A pop-up notification indicates that Managed Threat Hunting has been activated successfully.

Note: EDR must be activated before attempting activation of Managed Threat Hunting. An error message is displayed if you try to activate the MTH add-on before activating Endpoint Detection & Response.

How to access the MTH Portal

The Managed Threat Hunting (MTH) Portal manages all aspects of the service. It can be accessed by selecting the Nebula button, which can be found in settings or the detections tab. Once in Nebula, select Managed Services to see all Cases and Incidents reported.

Discover the MTH Portal

The MTH Portal, powered by ThreatDown, is the control dashboard for your license. Within the portal is the Managed Services tab, where all reports provided by MTH can be seen.  

Managed Services is broken into two main sections:

Overview

The Overview tab provides a centralized, high-level summary of your Managed Services cases through a collection of interactive widgets. These widgets are designed to offer at-a-glance insights into case activity, helping users monitor and assess the security posture of their Nebula environment effectively. By presenting concise and relevant data, the Overview tab serves as a starting point for understanding trends, identifying areas of concern, and prioritizing actions.

This tab is particularly useful for quickly understanding malicious activity in your environment. It supports time-specific filtering, allowing users to narrow the scope of displayed information to a particular period. This functionality makes analyzing trends or investigating incidents easier within a chosen timeframe.

The following widgets are available on the Overview tab, each serving a specific purpose:

  1. Cases by Stage: This widget provides a general overview of case activity by categorizing cases based on their current stage in the incident response lifecycle. This helps users track case progress, such as whether they are newly opened, under investigation, or resolved.
  2. Cases by Priority: This widget displays the number of open cases grouped by their priority level. Highlighting the urgency of each case allows users to quickly identify high-priority cases that may require immediate attention, ensuring critical issues are addressed promptly.
  3. Top Case Close Reasons: This widget identifies the most common reasons for closing cases as determined by analysts. Summarizing these trends provides valuable insights into the recurring factors driving case resolutions, helping teams optimize their response strategies and improve future outcomes.

Cases

The Cases tab on the Managed Services page displays a list of open cases and their details. The following information is available on the Cases tab:

  • Alerts: Number of detections tied to the case.
  • Assigned analyst: Analyst assigned to the case. 
  • Case name: Detection (DE) or Suspicious Activity (SA) followed by the endpoint name and path of the detection.
  • Close reason: Reason the analyst closed the case.
  • Closed at the time the case was closed.
  • Created at: Time the case was opened.
  • Endpoint: Name of the device with the alerts.
  • ID: ID number for the case.
  • Priority: Urgency of the case.
  • Stage: Current phase of the case.
  • Status: Opened or closed case.
  • Updated at: Last time the case was updated.

How to view Case Details

To view the details of any MTH case, click the ID number in the ID column. This will produce the following information in a new drawer:

  • Communications & History  

The Communications & History tab within the case details slideout provides a comprehensive case activity record. This includes communications between analysts, detailed remediation instructions, and a log of actions taken during the investigation.  

To refine the information displayed, you can use the icons to filter specific events, such as comments, status updates, or other key changes, ensuring quick access to the most relevant details.  

  • Alerts & Artifacts  

A single case may encompass multiple alerts, often representing several interconnected malicious activities occurring on the same endpoint. These alerts are grouped together to streamline analysis and enhance context. The Alerts & Artifacts tab allows you to review a case's associated alerts and related items. For deeper investigation, the Go to detection button next to each alert provides direct access to the specific detection or suspicious activity tied to that case. 

How to set up MTH to optimize the protection of your endpoints

MTH requires specific settings from EDR to operate successfully. These settings are found in the Endpoint Protection policy settings. To access this, navigate to the Admin Settings and select Policies under Device Management. If you already have a policy created, you can edit this one; otherwise, you can create a new policy by selecting Endpoint Protection from the policy drop-down. Please ensure the following settings are active under the appropriate OS:

  1. Suspicious activity monitoring
  2. Server operating system monitoring
  3. Lock endpoint when isolated
  4. Ransomware rollback

5. Suspicious activity monitoring

6. Lock endpoint when isolated

How to ensure efficient notifications

Setting up all necessary notifications is important to ensure you and your team stay alert of potential threats. The following information pertains to notifications specifically for Managed Threat Hunting.

Note: Notifications are managed in ThreatDown's Nebula console.

When creating a new notification, select "Managed services activity."  

It is recommended that some conditions be added regarding when notifications are sent. This ensures that your admins don't become overburdened with messages that don't require their attention.

Select each Field option below to see its available values:

is equal to

  • All
  • Case created
  • Case updated
  • Case closed

is equal to

  • All
  • Critical
  • High
  • Medium
  • Low

is equal to

  • True
  • False

In the next section, select how the notifications should be sent. In addition to email, you can select to be notified via Slack/Microsoft Teams, Webhook, or the ThreatDown Admin app.

In the final step, aggregation can be activated, reducing the notifications received and allowing for more focus. This consolidates multiple alerts into single notifications based on the interval and grouping option you select, along with previously chosen activity types, conditions, and delivery methods.

Select Complete in the bottom right corner to save the new notification.