Use threat remediation to isolate a device from the network or add a file to the waived or quarantined lists on a device.
If the threat remediation device list is empty, you must specify a device first.
- In QRadar, selectCylance.
- SelectThreat Remediation.
- Select a device from the Devices list.
- Select a threat from the Threats list.
- Select an action from the Remediation listYou can select the following actions for a threat.If a file has already been remediated, "Quarantined" or "Waived" appears after the file name.RemediationDescriptionIsolate deviceThis disables network connectivity on the device for the specified amount of time. This includes LAN ports and WiFi adapters.
To isolate a device, theCylanceOPTICSagent must be installed on that device. This is also known as Lockdown Device.Waive Threat on DeviceThis adds the file to the waived list on the selected device.Quarantine Threat on DeviceThis adds the file to the quarantine folder on the selected device.
- Expiry Timer is the amount of time the device is isolated from network activity.
- Choose is a list that allows you to select minutes or days for the amount of time the device is isolated from network activity.
- When specifying a time for the Expiry Timer, the minimum is 5 minutes, the maximum is 3 days.
- ClickApply Remediation Action.If the Modify permission was granted (see Application privileges), administrators can remove any supported device from the network. Before granting this permission, ensure that all administrators in your organization understand the risks involved.