Enabling Managed Detection and Response (MDR)

You enable MDR for selected customers by performing the following two steps:

Step 1: Enable the MDR offering item for customers.
Step 2: Configure the integration with the MDR vendor's app.

Self-managed customers cannot enable MDR. For more information about configuring self-managed customers, see Configuring self-managed customer profile.

To enable MDR for selected customers

In the management portal, go to Clients.
Click the ellipsis icon (...) next to the relevant customer, and select Configure.
In the Protection tab, click Edit.
In the Advanced Security + EDR section, ensure that the Workloads and Managed Detection and Response checkboxes are selected. Then click Save to apply any changes.

To configure the integration with the MDR vendor's app

In the management portal, go to Integrations.
Use the search bar to locate the MDR vendor's app.
In the displayed MDR catalog card, click Configure.
In the Settings tab, click the pencil icon and enter the contact details of at least one partner contact. This contact will be contacted by the MDR vendor when a security event is detected. Note that you can add the details of up to three contacts. When done, click Enable.

When a security event is detected, the vendor calls each contact six times before moving on to the next contact. Following a call, or in the event no contact is made, the vendor sends an email to all contacts, providing an overview of the escalation and the incident.
In the Customer management tab, click the ellipsis icon (...) in the far right column for the relevant customer, and then click Enable.

To enable multiple customers, select the checkbox next to the relevant customers, and then click Enable in the top left of the Customer management tab.
From the Service level drop-down list in the displayed dialog, select the level of MDR service you want to apply to the selected customer(s):
- Standard: Includes 24/7/365 monitoring of customer endpoints to catch attacks, AI-powered event triage and prioritization, threat containment and isolation of affected endpoints, and real-time in-console visibility over a prioritized list of incidents.
- Advanced: In addition to the features included in Standard, this level also enables complete remediation, including attack rollback, recovery and the closing of security gaps.
Click Enable to complete the MDR integration.

If the IP allowlist feature is enabled (see Limiting access to the web interface), you are prompted to add the MDR vendor's IPs to the allowlist. This ensures that the vendor can monitor the relevant workloads. Click Enable to confirm.

MDR is now enabled and security incidents will be forwarded to the MDR vendor to conduct investigation and response activities. For further information about the MDR service, see What is Managed Detection and Response (MDR)?