Managed Threat Hunting (MTH) powered by ThreatDown is a cloud-based service designed to detect potential attacks correlated with threat intelligence, automated and orchestrated responses, and an indicator of compromise summary and escalation via a team of security personnel.
This article applies to all MTH customers.
Features of Managed Threat Hunting
- 24x7x365 Malwarebytes Endpoint Detection and Response (EDR) active threat hunting and remediation guidance.
- Trained security personnel with backgrounds serving customers of various sizes and verticals.
- Back-end artificial intelligence and machine learning supported by a proprietary analytics engine.
- Cloud-based, proprietary back-end platform with integrated intelligence sources.
- 31-day lookback of critical indicators of compromise (IoCs).
- Incidents are discreetly raised by the Nebula® ThreatDown portal.
- Customer-driven tiered notifications based on incident severity.
First steps
TeamViewer will confirm via a pop-up once the service is activated in your account. Select the Setup MTH button to proceed to the initial setup.
Set up the primary, backup, and alternate contacts on the next screen. Select the primary contact drop-down menu and select the desired member of your company profile. If not automatically entered, insert this contact's primary phone number.
Once completed, click Save in the upper right corner of the screen. A pop-up notification indicates that Managed Threat Hunting has been activated successfully.
How to access the MTH Portal
The Managed Threat Hunting (MTH) Portal manages all aspects of the service. It can be accessed by selecting the Nebula button, which can be found in settings or the detections tab. Once in Nebula, select MTH Portal in the upper right corner.
Discover the MTH Portal
All reports regarding threats detected by Managed Threat Hunting can be seen in the MTH Portal. To navigate to the other sections of the MTH Portal, use the menu in the upper left corner.
Dashboard
The dashboard contains a quick overview of all devices and threats, including an overview of reports ranging from one month to more. This also provides a status of all cases, alerts, and incidents in the Environment Summary.
Your workbook
Your workbook is a simple overview of all cases where your assistance is required for additional actions. Additionally, the reports provided previously regarding all threats are shown here.
How to set up MTH to optimize the protection of your endpoints
MTH requires specific settings from EDR to operate successfully. These settings are found in the Endpoint Protection policy settings. To access this, navigate to the Admin Settings and select Policies under Device Management. If you already have a policy created, you can edit this one; otherwise, you can create a new policy by selecting Endpoint Protection from the policy drop-down. Please ensure the following settings are active under the appropriate OS:
- Windows
- macOS
- Suspicious activity monitoring
- Server operating system monitoring
- Lock endpoint when isolated
- Ransomware rollback
5. Suspicious activity monitoring
6. Lock endpoint when isolated
How to ensure efficient notifications
Setting up all necessary notifications is important to ensure you and your team stay alert of potential threats. The following information pertains to notifications specifically for Managed Threat Hunting.
When creating a new notification, select "Managed services activity."
It is recommended that some conditions be added regarding when notifications are sent. This ensures that your admins don't become overburdened with messages that don't require their attention.
Select each Field option below to see its available values:
- Event type
- Priority
- Action required
is equal to
- All
- Case created
- Case updated
- Case closed
is equal to
- All
- Critical
- High
- Medium
- Low
is equal to
- True
- False
In the next section, select how the notifications should be sent. In addition to email, you can select to be notified via Slack/Microsoft Teams, Webhook, or the ThreatDown Admin app.
In the final step, aggregation can be activated, reducing the notifications received and allowing for more focus. This consolidates multiple alerts into single notifications based on the interval and grouping option you select, along with previously chosen activity types, conditions, and delivery methods.
Select Complete in the bottom right corner to save the new notification.