Skip to main content
All CollectionsPlatform
Detection & Response
Detection & Response
Updated over a month ago

Available in: Starter, Pro, and Ultimate

Getting to Know the Detection & Response Page

Guardz continuously scans for threats across multiple attack vectors. When a threat is detected, it will trigger a new issue. Guardz provides the tools for you to focus on the most urgent issues.

The Detection & Response page displays all issues in one place and can be displayed in a number of ways, to suit your preferences and workflow.

These are the Detection & Response page view options:

  • List (default)

  • Dynamic

  • Inbox

  • Table

The view changer is located in the top-right corner of the page.

In each view, issues can be filtered by severity, security control, user, issue type, and more.

List View

The Detection & Response page opens to the list view by default. This is a high-level look at all the issues, organized into related groups. Groups are ordered by issue severity, with groups containing the most severe and highest number of issues at the top, helping you to prioritize at a glance.

Selecting an issue group opens the dynamic view, which is discussed a bit further down this page.

Inbox View

The inbox view contains two panes. The left lists the issue groups while the right displays a table of individual issues within the selected issue group. The issues are ordered by severity, with the most severe issues at the top.

Selecting an individual issue from the list will open the issue details and remediation/response options.

Table View

The table view is almost identical to the inbox view. Here, however, the pane of issue groups is minimized and the table of detections is expanded to display more details.

Here too, selecting an individual issue from the list will open the issue details and remediation/response options.

Dynamic View

The dynamic view allows you to seamlessly switch between the inbox and table views. When hovering over the table of detections, the table is expanded. When hovering over the list of issue groups, the list is expanded.

With the dynamic view, you can do a high-level scan of the areas most needing your attention and very quickly drill down to remediation/response.

AI Insights

Gen-AI is an exciting Detection & Response tool. It leverages powerful AI to generate insights, enhancing your ability to see connections between different detections. It empowers you to identify the riskiest users and provides actionable guidance on how to manage those detections effectively.

Simply select "AI Insights" and the insights will populate.

Response

Now that you understand how to navigate the Detection & Response page, let’s take a closer look at responding to issues.

Selecting an issue will open the issue details and response options.

Here you can choose to remediate or ignore the issue. Be careful when ignoring and ensure that the issue is non-threatening. When ignoring, you can also include an explanation or reason for why it is being ignored. This information will also be included if you choose to export the data into a CSV. When remediating, you will be guided through the process; first the remediation options and then fixing the issue.

Remediations will sometimes be manual and sometimes automated. Oftentimes, the system will offer multiple remediation options, allowing you to choose the one most suitable to the organization, the situation, and your preferences. Please note that once a remediation has been applied there is no option to change it.

This is an example of a remediation options screen:

If you’re unsure which option is best, don’t worry; selecting continue will not yet remediate the issue. The next screen will describe the steps Guardz will take, if automated, or guide you through the steps you need to take, if manual. You can always go back and select a different remediation option.

When you’re ready to proceed with a remediation option, select “Remediate,” if automated, or follow the steps, if manual, and then select “Mark as Processed.”

Congratulations! You’ve fixed the issue!

Note: After remediation, the issue status will sometimes become “In Progress” or sometimes it will become “Closed” immediately. An in-progress remediation will become closed after the related security control’s next scan verifies that the remediation was successful. Changing a status from “In Progress” to “Open” can take up to 48 hours to see the updated status on the dashboard.

Remediations related to the External Footprint can take up to four days to process, while for other security controls it can take a few minutes.

If a remediation is unsuccessful, the issue will reopen.

Bulk Response

Do you have multiple similar issues that you would like to remediate in the same way? We created a bulk response tool for this very scenario and is ideal for remediation features for actions that take an extended amount of time such as removing shares! You can now fix up to 200 issues at once and the process is asynchronous: issues will show as "In Progress" when you click "Remediate" and will be marked as closed when the remediation is complete.

Save time by applying the same response to multiple issues at once. Simply select the issues and then “View All.” Note that this must be done within the Single Customer View.

While bulk remediations must be the same issue type, bulk ignoring can include multiple issue types.

CSV Export

Overview Export

MSP Admins can export all detection and response incidents for individual client accounts. The benefit of this feature is that the CSV document can more easily be shared with the client and provides them with the information in a way that can be sorted and filtered for more understandable use.

To export the detection and response incidents as a CSV file go to the Incident section of the dashboard and select the specific customer. Then click the export icon in the top right and select “Export to CSV.”

Incidents > Single Customer > Export to CSV

Individual Issue Export

Admins can also select an individual issue overview to export to a CSV. This allows them to see all the issue details for the specific issue type in a more user-friendly view that can be shared with customers.

Single Customer > Detection & Response > Issue > Export to CSV

Incident Reports

MSPs can create incident reports from the Detection and Response page for individual customers. Incidents will show up towards the top of the page, above the Issues section. To create a report of an incident, select the specific incident then press “More Actions” —> “Create Report.” The report will be a printer friendly version of the page and include a text-based version of the timeline.

Best Practices

These are some suggestions to improve the ease and efficiency of your workflow:

  • Setup email notifications for new issues in My Profile. Configure the notification settings for each organization.

  • Aim to clear all issues. If issues aren’t cleared and many accumulate, you may have some difficulty prioritizing. Additionally, clearing issues will increase the security score.

  • If you know an issue is being handled outside of Guardz, and the resolution will take less than one month, set the issue to “Ignore for 1 week” or “Ignore for 1 month,” accordingly.

  • Occasionally review all of the issues related to Email Protection and reassess your Caution Banner & Quarantine settings.

  • Apply bulk response whenever possible. For example if multiple risky emails were sent from the same domain, enter the domain into the search bar, select all of the related issues, and apply a bulk response.

Best Practices: Cloud-Related Issues

  • Ask your customer for feedback regarding what assets can or cannot be public or shared externally.

  • If you are unsure which assets can and cannot be shared externally, remediate by notifying the user. This will send an email to the user and pass the responsibility to them. You can also have the email sent to the document owner, the business owner, or anyone else on the team responsible for making data-sharing decisions.

  • If you know that an asset can be shared, you can add it to the Assets Allow List and bulk remediate.

  • Apply bulk response whenever possible. For example, if there are frequent cloud-related issues associated with the same user, filter the issues by user and bulk notify that user.


FAQ: Detection & Response

  • Question: How will ignoring an issue affect the security score?


    📍Answer: Ignoring an issue will positively impact the score. However, overuse of ignoring for critical and high-level issues can be included in an insurance audit and may negatively affect a claim.

  • Question: What does it mean if an issue is “In Progress”?


    📍Answer: After remediation, the issue status will sometimes become “In Progress” and some will become “Closed” immediately. An In Progress remediation will become Closed after the related security control’s next scan verifies that the remediation was successful. Remediations can take up to four days to process. If a remediation is taking longer than expected to complete, you may need to wait. If a remediation is unsuccessful, the issue will reopen.

  • Question: How long will it take a security score to update after a remediation?

    📍Answer: It can take up to one hour for a security score to update after a remediation.

  • Question: I asked a user to modify the permissions of an asset but the issue returned. What happened?

    📍Answer: It’s likely that the user did not change the permissions. When the security control rescans, if the permissions did not change, the issue will reappear.

  • Question: Can I see a list of ignored issues?


    📍Answer: Yes, to see a list of ignored issues, go to the Detection & Response page and select “Ignored” in the status tab.

  • Question: Can I export a list of issues?


    📍Answer: Yes, to export a list of issues, go to the Detection & Response page, select the export icon at the top right corner of the table, and choose to export as csv or print.

Did this answer your question?