Actions
Actions are the tasks that are accomplished by the security teams to respond to the threats discovered in any phase of the incident response process. An action can be both proactive and reactive. Some of the types of actions are:
Corrective: Correcting a fault in the existing process or system to prevent similar kinds of threats in the future.
Containment: Isolating an infected endpoint to prevent a threat from spreading to the other parts of the system.
Remediation: Performing quarantine or patch operations of the flaws that led to the incident.
Investigation: Conducting a thorough investigation to find the root cause of the Incident.
Recovery: Recovering an infected endpoint from an incident.
Actions Management Flow
The following illustration shows the overall workflow to manage actions in Respond (CFTR):
Create Action: Create an action in Respond to perform a security task. For example, blocking IP addresses, installing antivirus software, sending advisory emails, and more. For more information, see Create Action.
Assign a User: Assign a security analyst to perform the tasks of the action. The assigned security analyst must be a member of the assigned user group. For more information, see Assign User.
Analyze Action Summary: Move the action status to In Progress and analyze the action summary to know more about the requirements of the action.
Execute Action Task: Perform the security tasks as specified in the action.
Resolve Action: Move the action status to Resolved and assign a reviewer to review the tasks performed by the assigned security analyst.
Close Action: Move the action status to Closed.
You can use the following features to effectively perform the tasks of the action:
Notes: Add notes about important events while performing the security tasks for reference. Any user who has access to an action can view and add notes. For more information, see Add Notes.
Activity Logs: Track all the updates of an action in the activity logs. During retrospection of the action, you can use the activity logs to trace a specific action update. You can search, filter, and export the activity logs. For more information, see Manage Activity Logs.
Connect the Dots: Connect other Respond module entries with the action to draw contextual intelligence on complex threats to effectively perform the tasks of the action. For more information, see Connect the Dots.
Attachments: Upload any type of file that is related to the action as attachments. For more information, see Add Attachments.
Playbooks: Run the Orchestrate Playbooks to perform security automation and orchestration tasks of the action. For more information, see Run Playbooks.
KnowledgeBase: Create knowledge base articles for future reference and training based on the learning from the action. For more information, see Create Knowledge Base Article.
Time Tracking: Track the time spent by the security analysts to resolve the action. For more information, see Time Tracking.