ARO Introduction

This is a very common alert with the primary aim to let you know which endpoints don't have the Field Effect agent installed.

The Field Effect appliance continually scans your network and log files, and checks hosts its sees against the list of endpoints you have installed.  When a host is seen that is not on that list, it will appear in this alert.

We recommend that you install the Field Effect agent as soon as possible so that it can be protected, and recommend you factor its install into future installations, deployment scripts or tools.

The following is an example of the description included with this ARO type: 

Field Effect MDR has identified systems in your environment generating activity logs without an active Field Effect MDR endpoint agent.

This information is derived from Windows Event Logs (WEL) associated with authentication events. The hosts were identified by examining log activity for the last 7 days. Hostnames observed in the logs, with no corresponding Field Effect MDR endpoint agent having the same hostname, are reported below.

Note: this list may include hosts with agents that have not connected to the Field Effect appliance in the last 7 days. Given the source of the data, the enumerated hosts may be incomplete or inaccurate however we would like to raise these for you to validate any systems mentioned below.

Suppressing this ARO

This analytic typically triggers only when the host has authenticated to an endpoint with the Field Effect agent, but it can also be configured to alert based on network traffic.

Customers will typically ask us to suppress certain hosts which cannot have the Field Effect agent installed - Either because its an unsupported device (i.e. a printer or network device) or the organization does not want to, or is not allowed to, install the agent on the device. This can include 3rd party devices, or devices that have another solution installed. 

Customers can not currently configure these suppressions themselves, they will need to ask Field Effect to configure it and are actioned by the Analyst team. 

Next steps

Our recommendation for managing this alert is to review the device list provided by the ARO, install the agent where possible and then use the "Request Help" option within the ARO to notify Field Effect of any suppressions.

Hosts can be suppressed from this ARO by requesting:

• a specific internal hostname (typical, preferred) "SQL01Dev", "printer01"
• a single IP address "1.2.3.4"
• an IP range "1.2.3.0 - 1.2.3.255" or "1.2.3.0/24"
• log source (hostname). This is often used for RDP gateways that accept remote connections from hosts that will not have our agent installed. For example you may want us to:
  • "Suppress the external host 'xyz' that connects through 'RDPGATEWAY01 ' "
  • Or perhaps something less specific:
  • "Suppress anything with the public IP '1.2.3.4' connecting to 'RDPGATEWAY01 ' "

Additionally we can also cater for these more advanced scenarios:

• Limit detection to specific IP ranges.  This will automatically suppress alerting for everything else within the network.
• Look beyond just the authentication logs and enable network traffic detection which will also scan DHCP, mDNS etc for hosts without the agent installed. Enabling this option will generate more ARO information.
• It is also possible to suppress hosts which have the Field Effect endpoint agent installed, but are within different organizations. This is useful if, for example, an MSP connects their endpoint devices to multiple clients, but these endpoints are managed from within their own parent organization.  To configure this scenario we will need to know the name of all organizations, and must have agreement from all parties to enable this.