Recommended response tasks

Threat Investigator provides recommended response tasks to a threat investigation and provides reasons for the response.

You can view response recommendations on the Investigation details panel.

Task details

From the Investigation details > Results tab, in the Recommended response tasks section, click View task to learn more about the response task recommendations.

On the Task details page, view the response recommendation and confidence level for the response. You can save the task to the case or remove the recommended task. You can also view the following information:

  • Prevalence analysis. Shows related activity that taking the response action could have on the target. For example, the response recommendation might be to block an IP address but the analysis shows recent activity associated with the IP that indicates the impact that would have and maybe it should not be blocked. To further investigate the impact, you can run another query and modify the time frame in Data Explorer. The event timeline shows the event count and the time of occurrence depending on the response action.
  • Events timeline. Shows the chart that is generated from the prevalance analysis.

Example: Task details page

Task details screen

Response actions

The following response actions are supported:
  • Add file hashes to your deny list
  • Add IP address to your deny list
  • Disable RDP traffic for hosts/IPs
  • Block URL
  • Block domain
  • Quarantine system
  • Block user
  • Block ICMP requests on host
  • Block unauthorized scanners
  • Close unnecessary ports on host
  • Configure firewall to block access to SMB ports
  • Isolate user activity
  • Scan system