Intezer provides actionable recommendations to deal with every alert it triages. The recommendations are derived based on alert types, automated triage results, risk levels, and associated entities. By following these instructions, security teams can respond quickly and efficiently to potential cyber-attacks and associated risks.
Utilizing Intezer's Recommended Actions
Leverage Intezer's recommendations in multiple ways for an effective cybersecurity strategy.
Auto Alert Remediation by Intezer
Intezer is directly connected to critical security systems such as endpoint security tools. This allows it to take automatic action in these tools. For example, Intezer can close a false positive (FP) alert in the EDR. For more information about this option, please refer to Auto Alert Remediation.
Manual Review of Recommended Actions
Users can review the recommended actions provided by Intezer and make decisions accordingly. This option is best used for actions that have a significant impact and should be manually reviewed before taking action, such as isolating a machine or resetting credentials. The recommended actions are available in the Intezer console or through integrations, APIs, or webhooks.
Automating External Actions with Intezer’s Recommendations
If there are actions involving additional tools that you wish to automate, you can leverage Intezer's recommendations in combination with a SOAR or other automation tool.
Consider this scenario: Intezer confirms an alert, identifies a malicious network IOC from a compromised endpoint or a reported phishing incident. You can employ a SOAR workflow to block that network IOC across various systems like Firewall/IDS and SASE automatically.
This way, Intezer navigates your decision-making process, while you retain control over the actions taken and management of your security infrastructure.
Examples of Possible Recommended Actions
Endpoint Security Confirmed Alerts
- Kill Process
- Quarantine File
- Isolate Machine
- Reset Credentials
- Disable Account
- Block IOCs
- Resolve as True Positive
False Positive Alerts
- Exclude File Hash/Path
- Exclude Command Line
- Resolve as False Positive
Suspicious Emails
- Block Email Sender
- Block Email Sender Domain
- Quarantine Email
- Block IOCs
Suspicious Activity or Unwanted Software
- Follow up with the user to remove unauthorized software
- Validate activity with the user
Conclusion
By using Intezer's recommended actions, your security team will have the necessary tools to respond efficiently to cybersecurity threats. You can use automated actions within Intezer, manually review recommendations, or incorporate external tools for automation, depending on what works best for your organization's needs and policies.
If you have any questions or need assistance, please contact us at support@intezer.com.