Skip to main content

Incidents Screen

Updated today

The following article outlines key assumptions and descriptions of Guardz 'Incident' screen.

Notifications & View:

  • Once an incident has been opened, the admins will be notified by:

    • Incident email notifications are sent to all admins of the MSP organization (but not to customer-level admins).

    • Red notification banner at the top of the platform.

  • Incidents full details can be found in the 'Detection & Response' section, under a separate category at the top. Clicking on each record opens the specific incident screen.

  • A banner on the incident screen displays badges providing statuses as well as an assessment of the incident’s potential impact, indicating whether it is likely to be harmful or low risk

  • The main overview screen provides admins with a summary of the incident, including a concise description and key observations.

  • The main screen also provides an overview of all relevant indicators related to the attack or compromise.

  • Admins can review detected findings in chronological order for each incident through the 'Incident Timeline' tab, including MDR involvement where applicable. Selecting a record opens a detailed view with additional information.

  • The AI 'Investigation Steps' tab offers detailed autonomous analyst insights and tracking of the factors that triggered the incident and includes further contextual information. This adds an additional analytical layer, offering deeper insight into the factors that led to the creation of the incident. Each finding is attached with relevant evidences.

  • Admins can utilize a chat-based assistant to ask real-time follow-up questions and conduct further investigation by querying any details related to the incident and its findings (click on the AI sign on the right side of the screen to commence a conversation).

  • Please note:

    • Due to delays in GWS / Microsoft audit logs, certain incidents may not be created immediately and could appear with a delay. Once visible, the creation timestamp and the event timestamp will be shown accurately.

    • Microsoft 365 enables users to report suspected phishing emails with a single click. This action triggers a rescan via Guardz’s autonomous analyst in Check Point (Avanan). If the email is classified as malicious, it is removed from all affected user inboxes. All related activity is logged as an incident in Guardz.

Incidents Management & Remediation:

The incident screen features an 'Action Center' on the right-hand side, allowing admins to perform immediate response actions:

  • Suspend the User:

    • Admin can suspend a user’s account to block access to the productivity suite

    • To suspend a user, open the relevant incident and click on the ‘Suspend User Account’ button

    • Please note:

      1. The ‘Suspend’ action has been enhanced to also revoke all active user sessions meaning that when a user is suspended, they will be immediately logged out from all currently active sessions across all devices and platforms.

      2. ITDR isolation works by suspending the user account in Microsoft Entra ID via API permissions from the response app, and isolation can be removed by re-enabling the user through the Entra user page

      3. If a client is connected to Active Directory, and Guardz MDR suspends a user, the user will be automatically re-enabled when the next AD synchronization occurs.

  • Isolate Device:

    • Admin can isolate a device to block the endpoint from the network to stop an attack from spreading.

  • Additional Action Items:

    • View playbook: view the detailed step-by-step guide on how to handle the issue and link to the full technical guides (you may also review and follow these user guides)

    • Close incident: changes the status of the incident to closed

Related Articles
Introduction to Endpoint Security
Introduction to ITDR
SentinelOne (S1) Integration and MDR (Release Notes September 2024)
ITDR: From Detection to Resolution in One Click
Guardz MDR Services
Did this answer your question?