Requirement: "Click to Respond" enabled SaaS Instance.
Requirement: Configure: Admin level rights Execute: Analyst level rights.
"Click to Respond" is Infocyte's Remediation and Response capabilities in the the SaaS Platform. This product function allows users of the Infocyte tool to respond to alerts in various ways to limit exposure of potentially malicious or unauthorized objects.
Infocyte leverages extensions categorized as "Response" by an administrator to perform a prescribed action against a machine--specifically for an object on a machine.
Special Considerations for Extensions:
Extensions may utilize global variables to limit the need of hard coding variables in the extension itself. Before running any extension or remediation action, verify the current global variable sets to ensure that said extension / action will perform as expected. In order to properly utilize the response actions, extensions must be added to your environment.
Official extensions are available on the Infocyte Github, or can be customized or created by your team. For more information around adding and creating extensions, please contact Infocyte's technical support or review the information located here.
Enable response action:
Before any user is able to respond to an alert utilizing Infocyte's Click to Remediate actions, the action must be enabled by an administrator. To enable a response action, navigate to the Profile Icon(1), select Admin(2), and then select Extensions(3), then click on the response action / extension you would like to activate (4).
The extension or response action is activated from that point forward. If the extension IS a response action, then this action is now available under the alerts tab.
Responding to an alert:
To respond to an alert on the Alerts Tab, locate the Alert, and select the ellipses at the end of the Alerted Object's line.
This will present the following menu, select "Respond" to move to the "Response Action" menu.
From the "Response Action" Menu, select the action you wish to take, and select confirm. You will notice a response task in your Infocyte Task menu.
Viewing the results:
All response actions can be seen in the new "Respond Tab." This tab will display the who, what, and when of the actions taken against alerts. Expanding of each action will give in depth information around each action taken.
Infocyte's remediation process is a powerful solution to a complex issue. If you have any questions or concerns around this feature, please contact Infocyte's technical support for assistance.
Note: For the extensions / "Respond" option to work, Agent should be active on the target machine. Especially for a controller based scans. Either we can convert the agents to be permanently installed or we can initiate a new scan on that target group to make the agent active on the target machine before we respond to alert.