cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Shadow IT Discovery-time taken for MDATP endpoint to use an app for the first time before block

PJR_CDF
Iron Contributor

‎Dec 05 2019 04:04 AM - edited ‎Dec 05 2019 06:25 AM

‎Dec 05 2019 04:04 AM - edited ‎Dec 05 2019 06:25 AM

Shadow IT Discovery-time taken for MDATP endpoint to use an app for the first time before block

Hi,

 

I am looking at using the new functionality in MD ATP to block unsanctioned apps on Win10 endpoints and have a question.

 

If I have a policy setup that apply's to "all continuous reports" and is set to tag any newly discovered app with a risk score of 3 or less as unsanctioned, how long does it take for the app to appear in the discovered list (assuming a user accesses it on a Win10 endpoint with MDATP enabled) and be blocked on other Win10 MDATP user endpoints?

 

I know there will be a lot of factors that influence the *actual* time taken but I am looking to understand the timings / variables involved to get to a point where I can understand the theoretical maximum time taken from User A accessing the app, to User A (and subsequently B, C and D etc) being blocked.

 

Thanks

 

Paul

812 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by PJR_CDF (Iron Contributor)
Danny Kadyshevitch

‎Dec 09 2019 07:38 AM

‎Dec 09 2019 07:38 AM

Solution

Re: Shadow IT Discovery-time taken for MDATP endpoint to use an app for the first time before block

Hi Paul,

 

This timing depends on 2 variables:

  1. Time from app tagging in MCAS until it is being sent to MDATP (~15 minutes today)
  2. Time for MDATP to propagate this to the endpoint (up to 2 hours)

The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.

 

Thanks,

Danny.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by PJR_CDF (Iron Contributor)
Danny Kadyshevitch

‎Dec 09 2019 07:38 AM

‎Dec 09 2019 07:38 AM

Solution

Re: Shadow IT Discovery-time taken for MDATP endpoint to use an app for the first time before block

Hi Paul,

 

This timing depends on 2 variables:

  1. Time from app tagging in MCAS until it is being sent to MDATP (~15 minutes today)
  2. Time for MDATP to propagate this to the endpoint (up to 2 hours)

The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.

 

Thanks,

Danny.

View solution in original post

1 Like
Reply