This topic describes MDR actions.
- MDR analysts identify the existence of a threat and confirm with senior team members.
- Potential actions are proposed for containment of the threat, requiring two approvals by senior team members for each action.
- The minimum actions needed to contain the threat will be used to reduce the risk of business system impact; for example, quarantine is used as a last resort, only when appropriately necessary for threat containment.
- Any policy modifications implemented will be targeted to the threat to eliminate negative impact to the systems affected but also be effective in containing the threat.
- Each policy modification is confirmed to be efficacious and tested by senior team members before implementation to make sure that unwanted blocks do not occur.
- The MDR team will clone the infected system’s original policy to a new policy marked as modified by the MDR team. The MDR team will then modify the new policy with the containment policy rules and move the infected system(s) to the new policy.
- All actions taken by the MDR team are communicated in detail to the customer through alerts.
- Two-way communication can be initiated by replying to the initial alert email sent by the MDR team and through the Carbon Black Cloud console.
- All actions taken by the MDR team can be reversed by the customer.