Performing remediation actions
This article will describe the current remediation actions available through the RocketCyber agent and how to deploy them.
The RocketCyber agent has the ability to perform the following remediation actions on Windows devices:
- Remove files
- Delete registry keys & values
- Terminate processes
- Uninstall software
- Stop services
- Delete scheduled tasks
Currently, the apps that can offer Remediation Actions are:
- Advanced Breach Detection
- Suspicious Tools
- Defender Monitor
- Malicious File Detection
How to run a remediation
-
Go to Incidents in the left sidebar and click Manage Incidents.
-
From the list of incidents, choose an incident and click View Details.
-
From the Incident details, click Remediate.
-
Select which actions are taken by clicking on the check box next to each remediation step.
-
Isolate All Devices - This option will isolate the device during the remediation process. The process of isolation will prevent the device from communicating on the network with any other destination except the RocketCyber cloud.
-
After reviewing and selecting the remediation steps click on Execute to perform the choose remediation actions.
-
Remediation Process
After the Execute button is pressed, the RocketCyber cloud sends a remediation message to the targeted device(s). The agent responds to acknowledge the request and begins executing the assigned remediation steps. Once the remediation has completed the agent will send a message back to the RocketCyber cloud to indicate the completion status of Complete or Failure.
Review Remediation Status
You can view the status of a remediation at anytime from the Incident View.
From the Incident List click on Remediation Status for the desired incident.
The remediation status view will show the progress of remediation actions across any devices that were selected.
Once the remediation has completed successfully the status of the incident will change to resolved.
