Remediation & Response Management

Remediation and Response management actions can be triggered through the artifact grids and classification rules. Remediation and Response actions are executed through functions. They can be reviewed, and new functions can be added by "Security Assurance" -> "Remediation & Response Settings" -> "Remediation Functions". To create a new function, please press the "+Job" button. Custom functions can be created by using PowerShell commands and scripts. For each remediation function, it is possible to define which grids the action will be available.

To monitor active jobs, please go to "Security Assurance" -> "Windows/Linux Remediation". Current jobs can be enabled, disabled, or removed through the "…" button. The remediation summary section is accessible to review the state of all active jobs by "Security Assurance" -> "Windows/Linux Remediation" -> "Windows/Linux Remediation Summary". Response actions can be triggered for an artifact on the grids by right-clicking on the artifact and selecting the "Remediate" option. The task can be created for a single device, a group, or all devices. A job can run continuously, remaining active as long as it is manually disabled. Devices can also run the job once or on every communication cycle to the server. Once the parameters are set, click the "OK" button to create a remediation/response job.

The job history can be seen by "Security Assurance" -> "Windows/Linux Remediation" -> "Windows/Linux Remediation Logs". To create an automated remediation/response job, edit a classification rule with "Notify on Match" or "Notify on Non-Existence." From the rule settings, add a notification by clicking the "+Notification" button. An existing remediation/response job can be selected, or a new one can be created by clicking the "+Notification Setting" button once the job type is selected. All parameters can be configured.

For SSH and Powershell based remediation functions, values of grids can be used. $#{<column-name} is used for the values of columns within the grids. ##{<variable-name} is used to request a value from the user on execution.