5. Review The Results & White Listing

Agent deployment is completed. Go to "Threat Hunting" -> "Analysis & Investigation". Please check the autoruns, processes, macro, event log, and sysmon analysis. There can be items flagged as malicious, critical, or high risk. In case they are false positives, they can be added to the white list to enable trust. Any property of an artifact can be used to exclude it from analysis. By default, a white list is available. They can be added as detailed below.

Right-click on the entry and select List Management. Users can choose the list option as they need. When entries are listed, go to "Rules & Policies" -> "Artifact Classification" -> "List Based Classification". This page shows the listed entries; it can be edited. Click on the three dots right side of the grid and choose the option.

White / Black listing is recommended, but users can use classification rules to customize the actions as well.

Previous4. Enabling Classification Rules Next6. Reviewing and Enabling Sigma Rules

Last updated 5 months ago