Help CenterBeginning in Portal Version 2.4, the ThreatLocker Detect Alert sidebar will have a separate section titled Response Details below the Alert Details.
The Response Details area will help guide users through the incident response process. In Response Details, alerts can be cleared, endpoints can be locked down or isolated, and accounts can be locked out.
In an upcoming portal release, the information inserted here will be available to be emailed to administrators as an incident response report and used to create a dashboard for a holistic view of incident responses throughout an Organization.
Selecting the blue popout icon will take the Response Details section and pop it out into another window to allow more visibility of the alerts.
Select the 'Start Response' button to begin inserting Response Details.
'Response Started' will automatically be inserted in step 1, along with the date/time that the Response was started.
The actions available in the dropdown will vary between Cloud and Endpoint and are as follows:
- Response Started - This is not a selectable item from the dropdown
- Initial Review - This will be the default selection for step 2. Initial Review notes should contain a summary of the initial findings.
- Call - Call can be selected to categorize any communications that transpired as a result of this incident. For example, a call is made to the end user to ask about specific alerts received. Notes should be inserted to memorialize the communication.
- Lockdown (Endpoint only) - Once selected, Lockdown will not take effect until you select 'Save Response'. Notes must be included when initiating a Lockdown.
- Isolate (Endpoint only) - Once selected, Isolate will not take effect until you select 'Save Response'. Notes must be included when initiating Isolate.
- Lockout (Cloud only) - Once selected, Lockout will not take effect until you select 'Save Response'. Notes must be included when initiating Lockout.
- Add Exclusions - This is not a selectable item from the dropdown. When Exclusions are added to alerts in the Alert Details section above, they will automatically be listed in the Response Details.
- Clear All Alerts - Selecting this and then clicking the 'Save Response' button will clear all active alerts. (This replaces the Clear All Alerts button)
Endpoint
Cloud
'Initial Review' will be the default selection for step 2 and is recommended, but can be changed by selecting the dropdown arrow and making a different selection.
Select the action being taken from the dropdown and then input the relevant notes in the 'Details' textbox. Although this input box looks like a single line, it will expand as needed.
Select the green plus symbol to populate additional steps. Continue selecting actions, inputting notes, and pressing the plus symbol to create as many steps as necessary to complete the incident response report.
Once all steps are documented, select the blue 'Save Response' button to save the response and close the sidebar.
All response actions and notes will be visible in the System Audit.
An upcoming Portal version will introduce a new tab on the Alert sidebar to contain and display Incident History.