Mitigation and Threat Actions

From a threat's Incident details or from Analyze:

  • Run mitigation actions or other threat actions
  •       

  • See which mitigation actions were run and their status

The Agent mitigates threats automatically based on the AI Confidence level if the policy is set to Protect. If the policy is set to Detect, threats are not mitigated automatically.

These Mitigation actions are available for each Operating System:

Action Windows MacOS Linux & CWPP Windows Legacy
Kill
Quarantine
Remediate mdm_remote_wipte
Rollback mdm_remote_wipte mdm_remote_wipte mdm_remote_wipte
Unquarantine

Note: For static threats on all Operating Systems, only Kill and Quarantine are available. This is because static threats do not change or create processes.

For true positive threats

Before you run mitigation actions:

  • Decide if you will mitigate only the specific threat or all threats in your scope (if others exist)
  • Decide if you want to block this threat automatically in the future by adding it to the blacklist and in which EDR policies

For false positive threats

If you think that a threat is not really a threat, mark the Analyst Verdict as False Positive. This changes the Status of the threat to Marked as Benign.

  • Decide if only this specific instance is benign or if you want to create an exclusion for all instances in your scope
  • If you create an exclusion, you can choose the type (from those available) and EDR Policy in the New Exclusion window that opens

Available actions for threats:

  • Connect or Disconnect - Puts an endpoint in network quarantine, or restores a disconnected endpoint. If you think that the threat might attack other endpoints or communicate with the external network, you can quarantine the endpoint from the network. This can be an effective first response before you run other mitigation.
  • Do this from the Incident details Actions, Endpoint Details, or from the Analyze page, select Network Quarantine and then Connect to Network or Disconnect From Network.

    Tip: You can enable Disconnect from Network in the EDR Policy to automate network quarantine when an endpoint has a non-mitigated threat

  • The Network Status of the endpoint, Enabled (connected) or Disabled (disconnected), shows in the endpoint section of the Incident details and in the Endpoint Details and Endpoints page

Mitigation Actions

  • Kill - Stops all processes related to the threat.
  • Quarantine - Moves the threat and executables it created or changed to a confined path, and encrypts them.
  • Remediate - Deletes all files and system changes created by the threat.
  • If you select Remediate, Kill and Quarantine run also, if they were not completed already,
  • Rollback - (Windows only) Restores the endpoint to a saved VSS snapshot, undoing the changes made by the process and its associated assets. This option is best for ransomware mitigation and disaster recovery.
  • Add To Blacklist - To automate threat handling, the Agent adds the detection to the Blacklist on the Management for the current scope. This changes the Analyst Verdict of the threat to True Positive. If this threat is detected on a different endpoint in your deployment, the Agent blocks the detection immediately.
  • A description is added automatically to the blacklist entry to help you understand the source of items on the Blacklist page. It is editable and contains a link to the threat.

Add To Exclusions - The Management adds the threat to the Exclusions of the current scope. This changes the Analyst Verdict of the threat to False Positive.

The Exclusion types that show are based on the data available in the threat

A description is added automatically to the exclusion, to help you understand the source of items on the Exclusions page. It is editable and contains a link to the threat.

Tip: Keep all exclusions on the narrowest scope possible. Path type exclusions have different modes - The Suppress Alerts Exclusion Mode is the default and usually resolves False Positives

Unquarantine - This undoes the actions of Quarantine, which encrypts the file, changes its properties, and moves it to a confined path. Unquarantine restores the mitigated file to its original state in its original path. The option is available if a file was quarantined successfully.

Add a Note - Adds a note to the Notes section of the Incident details.

You can add the same note to multiple threats in these ways:

  • If you add a Note from the Mitigation Action window and select Apply to all of instances of this threat, the same note is added to all of the instances.
  • If you select multiple threats in the Threats table and select Threat Actions > Add a Note, the same note is added to all selected threats.

Mitigation Actions

To run mitigation and threat Actions:

  1. If you are in Analyze, select one or more threats.
  2. If you are in the Incident details, the action applies to the open threat

  3. Click Actions from the header of the Incident details
  4. Or Threat Actions from Threats.

  5. For mitigation, select Mitigation Action and select one or more actions to apply.
  6. Select a mitigation action: Kill, Quarantine, Remediate, or Rollback
  7. When you select an action, the actions on its left are selected automatically - For example, if you click Remediate, Kill and Quarantine are selected automatically
    • Mark as Resolved - Changes the Incident Status to Resolved
    • Apply to all instances of this threat - Shows if there are multiple instances of the threat and the action was selected from one instance
    • Add to Blacklist - See definition above
  8. When you add a blacklist entry from here, a description is added automatically but you cannot edit it in the window. You can edit the description from the Blacklist page.

  9. Add an additional note - Adds a note to the Notes section of the threat
  10. Required: Select an Analyst Verdict - If the threat is True Positive or Suspicious
    • If you selected Add to Blacklist, True Positive is selected automatically
  11. Click Apply

For all other actions, select an action and follow the instructions:

  1. (Optional) For exclusions, when relevant you can select the exclusion type
  2. The Exclusion types that show are based on the data available in the threat

  3. (Optional) For Blacklist and Exclusion, you can edit the Description
  4. Click Save

After you select a mitigation action the Agent sends the status of the action to the Management Console .

These are the statuses that each mitigation action can have:

  • Pending - The action initiated and is waiting for a response from the Agent.
  • Success Pending Reboot - A reboot is required to complete the mitigation action because one or more activities on a file or process cannot complete. The endpoint shows that it requires a restart. This status only shows for Agent versions that fully support Threat Management and Mitigation reports. See Agents at the top of this topic.
  • For example, a file that is being used by other processes so the Agent cannot quarantine it. The Agent will try to complete the mitigation action after reboot and will send an updated report.

  • Success or - The action completed successfully on all files or processes.
  • Failed - One or more activities failed - This does not mean everything failed - We recommend that you see the Mitigation Report for more details

Download the mitigation CSV report from the Incident details in the Mitigation Action Status area or from the Timeline tab.