The successful delivery of a managed detection and response (MDR) service relies heavily on having threat detection rules set up properly in the security incident and event management and endpoint detection and response tools underpinning the service.
Configuring and maintaining detection content is not easy. It is notoriously labor-intensive and requires specialized expertise. As a managed service provider, managing these configurations manually becomes increasingly challenging as you scale your MDR business.
A better content management system
To help MSPs like you mitigate the content storm, we are excited to announce the availability of the ContraForce content management system (CMS).
Our CMS is an interface within our platform you can use to easily deploy and manage detection content. Security content is organized by data source. The detection content is created and maintained by our security engineering team. You simply decide which rules to select and deploy. And since we will handle rule creation and updates, you can focus on your clients and on incident response rather than configuration.
The new CMS allows you to see content status and activity. You can see which versions of rules are available for each data source, how many are deployed, how many are disabled, and if there are any new updates.
Rules can be kept up to date using manual updates or you can enable auto-updates so that your rules are always up to date. Teams choosing to do manual updates will still be shown an indicator when a new rule becomes available and can then manually review and deploy updates.
Access to CMS functionality can also be restricted by user, limiting who can deploy content, subscribe to auto-updates, and remove deployed rules from active status.
At any time, you can see a consolidated list of all rules that are deployed by viewing the Gamebook recommendation summary page, which also comprises additional information about each rule including Gamebook mapping and automation.
Rule Details
The CMS provides detailed information about each detection rule to help you understand its functionality and impact.
Each rule includes a description of the rule and shows the underlying rule query. For each rule you can also see the rule severity (low, medium, high), the associated MITRE ATT&CK tactic(s) and technique(s), when the rule was last modified, if it is deployed, how frequently the rule runs, the rule version that is currently deployed, whether a newer version is available, and whether auto-updates are engaged. Rule severity is based on associated MITRE ATT&CK technique and other considerations like frequency of use.
In short, ContraForce allows you to streamline detection engineering to reduce the expertise and time required by your team. The CMS also allows you to differentiate yourself from your competitors by easily offering detection rule management as part of your service.
The CMS is now generally available for you to use for Microsoft Sentinel – including content auto-updates, detailed explanations about what each rule does and the complete underlying query; features not available in Sentinel itself.