Home

Remediation Action

On the Hunting tab, you can view malicious, suspicious, non-malicious, non-suspicious events detected on your assets. You can remediate malicious and non-malicious events detected on the assets using the Quarantine File, Delete File, and Kill Process options. The event score is assigned based on the detection engine such as Malware Detection, Yara rules, Behavioral Analysis, Threat Intelligence, etc.

You can perform remediation actions for a single event or multiple events. Bulk remediation can happen only for similar events on the Events tab. You cannot apply bulk remediation action if you select a file from page 1 and another from page 2 of the Events tab. At a time, you can apply bulk remediation for 200 events.

Remediation action is not available for Registry events.

This section includes the following:

Use the Filters option to view the events with a specific severity.

Filter Malicious Events

Remediation Action for File events

You can remediate malicious file events using the following options:

Perform remediation action on file events:

Perform the following steps to remediate a single file event:

  1. Select the required file event, and from the Remediation Action column, click Quarantine File or Delete File from the drop-down list.
    1. Alternatively, select multiple file events to perform bulk remediation and click Actions. Select Quarantine Files or Delete Files from the drop-down list.

    Remediation Action

    You can also perform the remediation action from the Event Details page.

  2. The following window is displayed based on your selection (Quarantine File/Delete File). Enter the required comment and click Execute Action.

    Deleting and Quarantine a File

  3. A pop-up message indicating the status of the submission request is displayed on the top-right corner of the screen. You can click View Request Status from the pop-up message to view the remediation request's status (In Progress, Success, Failed). You will be redirected to the Responses tab.

    User Activity Tab

    1. Alternatively, you can also view the status of the remediation request from the Remediation Action column on the Hunting tab.

Remediation Action for Process events

For Process events, we provide Kill Process remediation action. When you perform the Kill Process action for events, it kills the corresponding parent process.

  1. Select the required event from the Hunting tab, and select Kill Process from the Remediation Action column.Kill Process.
    1. Alternatively, to perform bulk remediation, select multiple Processes. Click Actions. Select Kill Processes from the drop-down list.

Auto-Remediate an Event

You can also perform the remediation action from the Event Details page.

  1. Alternatively, you can view the remediation request status from the Remediation Action column on the Hunting tab.

Auto-Remediate an event

You can auto-remediate an event by setting a rule from the Responses tab. You can configure auto-remediate action for the following cases:

Perform the following steps to auto-remediate an event from the Responses tab:

To perform remediation functionality for Network or Mutex event, you can remediate the parent process of that Network or Mutex event.

  1. Click Rule Manager > New Rule.

    Create a New Rule from the Response Tab

  2. In the Create New Rule window, provide the inputs in the mandatory fields. Fields marked in red asterisk red asterix are required.

  3. In the Rule Query, input the query that will trigger the alert. You can also view and input the Sample Queries.

    Sample Queries in Rule Query section

  4. From the Trigger Criteria drop-down, select the required criteria.

  5. Toggle the Enable Auto-remediation to apply the rule for the new events. The Kill Process and Quarantine File data will be displayed in the Quarantined Items section of the Responses tab. 

    Enable Auto-remediation toggle

  6. Click Save.

    Once you save, the configured quarantine action is automatically triggered. 

    Displays automatic trigger of quarantine actions configured.