We’re excited to announce the Release Candidate (RC) for SolarWinds® RMM with Integrated Endpoint Detection and Response (EDR). The RC will begin rolling out September 18th, and will be available in all territories by the end of next week.
The SolarWinds EDR integration with our world-class RMM platform will empower partners to deploy and manage the SentinelOne® EDR agent on RMM-managed Windows devices—providing enterprise-ready endpoint protection and security for your clients and partners. Offering best-in-breed ransomware protection, powered by SentinelOne, our integration provides in-product access to the EDR dashboard, threat management, and policy configuration—without leaving the RMM interface—alongside agent deployment and automated upgrade, so you can get up and running quickly with EDR.
Partners who have already purchased our standalone EDR offering, please see this article
Let’s get started!
In order to use the EDR functionality, you must first “activate” a trial of the Endpoint Detection and Response Integration in our new Integration Management screen for RMM, available in the left-hand navigation menu. The permissions for enabling integrated EDR are inherited through the new Integrations section of Roles and Permissions, and are set up by default for superusers to have complete control:
This activation process relies on our new “ecosystem” management platform and enables direct trial activation in-product. After successful activation, you will see the new Endpoint Detection and Response menu and be ready to go:
The first thing you will want to do after successful activation (which may take 5 – 10 minutes to complete) is create policies that define the protection levels and other configuration settings for how endpoints will be protected. Click the “Add policy” button to get started:
After naming and providing a description of the policy and clicking “Save,” you will then see the SentinelOne Policy page, which provides direct access to the EDR agent policy settings for configuration:
If you want to make changes to the policy, click on the “Change Policy” link, which will enable editing of all the policy options. Be sure to scroll down to see all available options, and after you have configured them to your needs, click the “Save” button located at the bottom of the iFrame to ensure the changes are successfully recorded for this policy:
During this step, you can also configure blacklist and exclusion options on the other tabs of the “Edit Policy” screen to enable finely tuned control of threat detections in your networks:
After the SentinelOne policy and any blacklist or exclusions are saved, you can then click the “Finish” button to exit the policy creation process.
Now for the fun part: enabling the EDR feature!
Enablement of the EDR feature on a workstation or server can be accomplished in one of two ways:
- Directly for the individual endpoint, under the “Edit Workstation” or “Edit Server” menu, you can turn the setting to “On” and select the policy you want to use:
2. Alternatively, you can use the Settings menu to deploy to various client tree groups:
After successful installation of the EDR feature and agent on the endpoint, the final step is to reboot the system to enable full protection. This can be done immediately or during a regular maintenance window as conditions require. The system is protected as soon as the agent has been installed and retrieves its policy settings from the cloud; however, the Dynamic Engine is not enabled until after a successful reboot to allow the kernel-level protection needed for that engine.
After enabling EDR on some endpoints, it’s time to check the RMM dashboard for status of the install and monitor the processes. We’ve added a north pane column and icon for EDR, which indicates the feature status for the endpoint.
You will also see two new checks added for devices that have EDR enabled; one of them is a Windows service status check to ensure the agent process is running, and the second is a script check that provides status information about the health of the endpoint from the agent’s perspective. The most important data returned by the check is the “Infected Status,” and in most cases, it should be “Clean.” However, when a threat is detected on the endpoint, this status will change to “Infected,” and the script check will go into a “Failed” state. When this state change happens, and if email or SMS outage notifications are enabled, an alert is sent for rapid notification and triage:
Managing Endpoint Detection and Response via the Integrations Menu
On the left-hand navigation menu, the new Integrations menu provides access to the SentinelOne console for a dashboard view—and for managing threat detections through their lifecycle:
This is the place for viewing the current status on threats and endpoints protected by EDR. All the metrics in the upper section of the dashboard are quick filters for drilling into the endpoint or threat conditions indicated for the metric. For example, if you click “Infected Endpoints,” you get a filtered list of endpoints that have an active threat on them. If you select “Active Threats,” you will see a list of the threats that need immediate investigation. One thing to note about the dashboard screens is they are a read-only view into the endpoints, and the “Actions” list is disabled. However, the actions are available under the Policies menu:
This is the main interface for threat management and deep investigation into the issues detected on endpoints in your environment. In this view, you can quickly filter based on many properties of the endpoints or threats to get a quick understanding of the problem—and access to the advanced protection actions of Kill, Quarantine, Remediate or Rollback. Each threat also has a status that can be managed here as well, and you can manage a threat through the states of Active, Resolved or Benign:
This screen is used to create new policies (as mentioned above) or to manage policy settings on an ongoing basis. Management of endpoint actions, as well as exclusion lists for Hash, Path, and Signer Identity, will be the main reasons you use this screen.
The fastest way to enable the EDR feature on many endpoints quickly is to find the right level of the entities tree that you would like to enable. You can then either turn it on specifically at that level of the tree or configure it to apply the parent policy in the same way other RMM feature policies are enabled.
We value your feedback! Check out all the areas above and let us know what you think. If you find any issues, please be sure to log a support case.
Thanks in advance!