Skip to main content

Getting Started with Defend

This guide walks you through enabling The One Defend on your endpoints and running your first threat investigation.

Step 1: Enable the Defend Module

  1. Open Hub and navigate to your organization's Billing page
  2. Add the Defend subscription (standalone or as part of an Endpoint bundle)
  3. Once activated, the Defend module automatically enables on all RMM-enrolled devices
ℹ️There is no separate agent to install. Defend runs as a module of the unified RMM agent. Devices with an active RMM agent will begin collecting EDR telemetry within minutes of activation.

Step 2: Verify Device Enrollment

  1. Open the Defend console from the waffle menu
  2. Navigate to Devices
  3. Confirm your endpoints show Defend: Active in the status column

Each device goes through a certificate-based enrollment that establishes a secure, tamper-resistant identity. You'll see devices transition from Enrolling to Active as their device certificate is issued.

Step 3: Understand the Detection Dashboard

The detection dashboard is your primary workspace. It shows:

  • Active Detections — New detections awaiting triage, sorted by severity
  • Detection Trend — 30-day chart of detection volume by severity
  • MITRE ATT&CK Heatmap — Visual coverage of which techniques you're detecting
  • Top Devices — Endpoints with the most detections this period
  • Behavioral Anomalies — Devices deviating from their established baseline

Step 4: Your First Detection

When Defend detects a threat, you'll see a detection card with:

  • Severity — Critical, High, Medium, Low, or Informational
  • MITRE Technique — The ATT&CK technique ID and name (e.g., T1059.001 — PowerShell)
  • Device — Which endpoint triggered the detection
  • Process — The suspicious process name, path, and command line
  • Timestamp — When the event occurred

Click any detection to open the full investigation workspace.

Step 5: Run Your First Investigation

The investigation workspace gives you four tabs:

  1. Process Tree — Parent-child process relationships at the time of detection, with IOC indicators on known-bad hashes or IPs
  2. Event Timeline — Full sequence of process, network, and file events ±30 minutes around the detection
  3. Lateral Movement — Cross-device connections showing potential spread
  4. AI Narrative — Jarvis-generated attack summary explaining what happened in plain English

From here you can:

  • Mark the detection as True Positive, False Positive, or Under Investigation
  • Take a response action (isolate device, kill process, quarantine file)
  • Escalate to PSA as a ticket or page On-Call
  • Add investigation notes for team handoff

Step 6: Configure Auto-Response

Navigate to Settings → Response Automation to configure:

  • Auto-isolate on critical — Automatically cut network access (except the management channel) for critical-severity detections
  • Auto-kill on high — Automatically terminate the malicious process for high-severity detections
  • Approval requirements — Which response actions require dual-control approval before execution
  • Active hours — Time window during which auto-response is active
ℹ️New organizations start with auto-response disabled. We recommend running in monitoring mode for the first 7 days while behavioral baselines are established, then enabling auto-response for critical detections.

What to Expect in the First Week

  • Days 1–7: Devices are in learning mode. Behavioral AI collects baseline data on process execution, network connections, file access patterns, and login timing. You may see informational alerts as the system calibrates.
  • Day 7+: Devices graduate to active scoring. Anomaly detection begins flagging deviations from the established baseline.
  • Ongoing: Detection rules run continuously (critical rules every 1 minute, standard rules every 5 minutes). IOC feeds refresh every 6 hours.

Next Steps