Incident Response

The Incident Response module is where you take action against incidents to resolve them. For example, an incident can mean that your system was attacked, or the session was compromised.

To take action against any incident, follow these steps:

  1. Click the Incidents tab and select Incident Response.

INCIDENT RESPONSE window opens.

18.png

Figure 18:Incident Response window

  1. Click View commands.

The Commands available window opens with the list of available commands.

19.png

Figure 19: Commands available window

The available commands are as follows:

Commands

Description

SHUTDOWN_SERVER

Use this command if you need to shut down the server

BLOCK_IP

Use this command if you need to block the IP

ISOLATE_HOST

Use this command if you need to isolate the host

RESTART_SERVER

Use this command if you need to restart the server

KILL_PROCESS

Use this command if you need to kill any process

UNINSTALL_PROGRAM

Use this command if you need to uninstall any program

RUN_CMD

Use this when you need to use the command line to use your command

DISABLE_USER

Use this command if you need to disable any user

 

  1. Click Execute command.

The Execute command window opens with the list of commands to use.

20.png

Figure 20: Execute command

  1. Select the appropriate command to use.
  2. Select an IP in the IP drop-down list.
  3. Click Run command.

The selected command will be executed. Also, the result will be shown in the EXECUTION column as the new View result button will show up, as shown below.

21.png

Figure 21: View result button

  1. Click the View result button to see the result of the executed command.

The Incident response execution result window opens with the result.

22.png

Figure 22: Incident response execution result

Note: To know how to navigate through and use various filters and functions within the Incidents module, see Understanding Alerts Module. The navigation, filters, and functions in the Incidents module are similar to the Alerts Management module.