Helpful feature in MDATP
One of the benefits of using a cloud service backend instead of on-prem appliance boxes is that we can get new features without doing anything except for “enable” depending on feature.
One feature I like is the “flag event” feature in the timeline.
In the machine timeline view there is a “flag” we can enable on each event we find interesting. This will make it easier to go back and further investigate suspicious activities.
In the overview we can see where the flags are located in the timeline and if we want, we can also filter on flagged events