Articles in this section

See more

Click to Respond How To

Avatar
Chris Mills
  • Updated
Follow

Requirement:  "Click to Respond" enabled SaaS Instance.

RequirementConfigure: Admin level rights  Execute: Analyst level rights.

___________________________________________________________________________________________________

Description:

"Click to Respond" is Infocyte's Remediation and Response capabilities in the the SaaS Platform.  This product function allows users of the Infocyte tool to respond to alerts in various ways to limit exposure of potentially malicious or unauthorized objects. 

Overview:

Infocyte leverages extensions categorized as "Response" by an administrator to perform a prescribed action against a machine--specifically for an object on a machine.

Special Considerations for Extensions:

Extensions may utilize global variables to limit the need of hard coding variables in the extension itself.  Before running any extension or remediation action, verify the current global variable sets to ensure that said extension / action will perform as expected.  In order to properly utilize the response actions, extensions must be added to your environment.

Official extensions are available on the Infocyte Github, or can be customized or created by your team.  For more information around adding and creating extensions, please contact Infocyte's technical support or review the information located here.  

Enable response action:

Before any user is able to respond to an alert utilizing Infocyte's Click to Remediate actions, the action must be enabled by an administrator.  To enable a response action, navigate to the Profile Icon(1), select Admin(2), and then select Extensions(3), then click on the response action / extension you would like to activate (4).

mceclip0.png

The extension or response action is activated from that point forward.  If the extension IS a response action, then this action is now available under the alerts tab.

Responding to an alert:

To respond to an alert on the Alerts Tab, locate the Alert, and select the ellipses at the end of the Alerted Object's line.

mceclip1.png

This will present the following menu, select "Respond" to move to the "Response Action" menu.

mceclip2.png                                                          mceclip3.png

From the "Response Action" Menu, select the action you wish to take, and select confirm.  You will notice a response task in your Infocyte Task menu.

mceclip4.png

Viewing the results:

All response actions can be seen in the new "Respond Tab."  This tab will display the who, what, and when of the actions taken against alerts.  Expanding of each action will give in depth information around each action taken.

 

mceclip6.png

mceclip7.png

Conclusion:

Infocyte's remediation process is a powerful solution to a complex issue.  If you have any questions or concerns around this feature, please contact Infocyte's technical support for assistance.

 

Note: For the extensions / "Respond" option to work, Agent should be active on the target machine. Especially for a controller based scans. Either we can convert the agents to be permanently installed or we can initiate a new scan on that target group to make the agent active on the target machine before we respond to alert.

Related articles

Comments

0 comments

Please sign in to leave a comment.