Creating profiles

Overview

Profiles combine configurations and apply them to one or more computer groups. Create and apply profiles to provide the most relevant Threat Response capabilities to specific groups of endpoints. For example, you can create profiles that apply configurations for such groups as:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical endpoints
  • Endpoint configuration needs, such as VDI endpoints

The Profiles page displays all the profiles that are available to use with Threat Response. For each profile, you can view a description and the computer groups that have the profile assigned. Profiles display as Active, Inactive, Outdated, or Pending.

Active

Indicates that the profile is currently in use on one or more computer groups and that no changes have been made to the profile settings

Inactive

Indicates that the profile has never been deployed to endpoints

Outdated

Indicates that the profile is in use but there are pending changes that cannot take effect until the profile is deployed again

Pending

Indicates that the profile is in the process of being deployed to endpoints

Create a profile

Create a profile to manage configurations for deployment to one or more computer groups.

  1. From the Threat Response menu, click Management > Profiles. Click Create Profile. Provide a name and description for the profile.
  2. In the Computer Groups section, click Manage to add the computer groups to which you want to deploy the Threat Response configurations.

    Manual computer groups are not supported.

  3. Configure the Advanced Settings for the profile.
  4. In the Intel, Engine, Recorder, and Index sections, select Enable if you want to enable the respective component for the profile. If you select Enable, select an available configuration. A summary of the configuration is available to preview. If you need to make changes to the configuration, click Edit.
  5. Click Save.

Prioritize profiles

A computer group can have one assigned profile. However, an endpoint can be a member of multiple computer groups. If an endpoint is a member of multiple computer groups, the profile with the highest priority is applied to that endpoint.

  1. From the Threat Response menu, click Management > Profiles.
  2. Click Prioritize.
  3. Order the profiles in the order of their priority. The profile with the priority number of one (1) has the highest priority.
  4. Click Save.

Deploy a profile

Deploy a profile to enable the functionality of Threat Response on all of the endpoints in the computer groups that the profile targets.

When you deploy a profile, all of the configuration information you have assigned in a profile is deployed to endpoints.

  1. From the Threat Response menu, click Management > Profiles.
  2. Select one or more profiles to deploy and click Action > Deploy.
  3. Enter your password to confirm the deployment. Click OK.

Deploy intel

Deploy intel to all of the endpoints in the Threat Response action group. An intel package contains the intel to investigate on the endpoint. Intel packages can be a sync package (all intel) or a delta package (new intel since previous sync or delta package). When intel is updated, a delta intel package is pushed to the endpoints. The name of this update package contains the word Delta, for example: Intel for Windows Revision 51 Delta. After the configured Intel Package Publication Max Deltas (default: 10), a sync package is deployed again.

Configure the intel deployment settings

  1. From the Threat Response home page, click Settings .
  2. On the Service tab, click Intel. Make intel package selections:
    • Intel Package Publication Interval: Specifies how frequently the intel documents and labels are pushed to the endpoints (Default: 24 hours).
    • Intel Deployment Distribute Over Time: Specifies how long the deployment action can take (Default: 20 minutes).
    • Intel Package Publication Max Deltas: Specifies the maximum number of delta packages that can be deployed before a baseline (full sync) package must be deployed (Default: 10).
  3. Click Save.

Immediately deploy intel to endpoints

Intel is automatically published to the endpoints on a regular interval. If a situation requires it, you can manually push the intel documents and signals to the endpoints.

  1. Click Management > Profiles.
  2. Click Deploy Intel.

Last updated: 6/19/2019 8:59 AM | Feedback