Instructions on how to reject a remediation
Host Isolation Release is only triggered when the SOC manually closes the report on the SOC's end.
At this time, the inbox rules will not be re-enabled if an incident report is rejected. These will need to be manually re-enabled.
If you feel as though the remediation plan for the Incident Report is not needed because the activity reported is a false positive, you have already remediated the incident, or your business approves of the identified activity, then this guide will show you how to notify the Huntress Security Operation Center (SOC) and reject the remediation.
First, you must navigate to the incident in question and select "review remediation plan."
From there, you will go ahead and select the "Reject" button in the bottom left-hand corner
You will then need to provide your contact information, the reason why you are rejecting, and a brief comment.
In the above form, you have to choose a rejection reason. Below is a list of the different rejection reasons found in the dropdown.
Rejection Reason Definitions
- Approved application: The application reported is approved and should not be reported again
- Business accepted risk: The risky activity reported is accepted by our business and should not be reported again
- Manually remediated: We have manually remediated these findings and do not need to run the Assisted Remediations provided.
- Host re-imaged or decommissioned: The infected host has been taken offline and re-imaged.
- Approved Microsoft 365 user activity: This is authorized user activity in our Microsoft environment.
- Other: Rejecting for a non-listed reason. Please provide more context in the rejection comment.
If you see the following message at the top of your incidents page then your rejection has been sent to the Huntress SOC for review!
Note: Rejected incidents will not show back up in the all incidents data table until they have been actioned by the Huntress Security Operation Center
Blocked IP Addresses
For certain incident reports we may also add an IP address to a host's "Blocked IP Addresses" list (for 14 days), which you can find at the host level. If you've determined an IP to be safe, you can remove the corresponding Defender Firewall rule from the machine or contact us for assistance. If you've determined the IP to be unsafe, you should consider blocking that IP permanently at the site's firewall.
Comments
0 comments
Please sign in to leave a comment.