Applying response actions to integration nodes

In the Incident Graph, response actions are available on nodes that originate from XDR integrations, such as email, identity, and firewall nodes. These actions enable you to respond directly to threats by using the capabilities of each connected integration.

Response actions in the Incident Graph apply only to integration nodes. EDR response actions, such as quarantining a process or isolating a workload, are available from the Cyber Kill Chain.

Some EDR response actions are currently available only from the Cyber Kill Chain, and are not accessible from the Incident Graph.

To apply a response action to an integration node

  1. In the Cyber Protect console, go to Protection > Incidents.
  2. In the displayed list of incidents, click in the far right column of the incident you want to investigate.
  3. Click the Incident Graph tab.

  4. Navigate to the relevant integration node, and click it to display the sidebar for the node.

    If the node is a grouped node (indicated by a number label), the response actions applied to this node are applied to all sub-nodes in the group.
  5. Click the Response actions tab.

  6. Click Execute for the required response action.

    The available response actions depend on the integration. For example:

    • FortiMail Workspace Security: blocklist sender.
    • Microsoft 365: terminate user session, forced password reset, suspend user.

    Response actions are not available for all integration nodes. For example, Teams nodes do not support response actions.

    When clicking Execute, the other response actions are temporarily disabled. When the action is complete, the other response actions are enabled.

  7. Click the Incident Activities tab to review all response actions applied to the node. For more information, see Understand the actions taken to mitigate an incident.