This article will answer common questions regarding One-Click Response.
Q: What playbooks are available for One-Click Response?
A: There are 8 different types of playbook available. They are:
- Block user sign-in
- Run anti-virus
- Host Isolation
- User Lockout
- User Disable
- Host Quarantine
- Allow/Block IP or Domain
- Acknowledge/Accept
Q: What is the goal of One-Click Response?
A: To increase the visibility of ContraForce incident response capabilities and provide one-click response coverage for as many different incidents as possible.
Q: Will this minimize the user's involvement in incident response?
A: Yes, the complexity of incident response will be abstracted from the user. Some context, such as logs, will be available for export, but the ContraForce interface emphasizes the use of One-Click Response.
Q: How long does it take to run a playbooks?
A: The response time can vary from seconds to minutes.
Q: What confirmation does a user receive once a playbook has been executed?
A: Upon executing a response, the user will receive a notification. The notification will convey one of two messages:
- If Response Complete: Confirmation that the response is complete and a confirmation has been sent to their email. i.e. Sample copy: “<username> account successfully suspended”
- If Response Incomplete: Notification that the response is pending and the user will receive confirmation via e-mail when the response action is complete. i.e. “<username> suspension is in process. You will receive a notification when the process is complete.”
Q: What does the user see while a playbook response is running?
A: On the “Incidents” and “Needs Attention” table, the “Respond” button is replaced with a component that displays the percentage complete.
Q: What happens when a response fails?
A: If a response fails, the user can click Run again or you can choose to have ContraForce contact you. If the 2nd option is selected, the ContraForce team will reach out to you directly.
Q: Can a user “undo” a response?
A: Some responses (e.g. “Isolate Host” or “Suspend User”) can be “undone”, given the nature of the action taken. The interface to “Undo” an action exists in the Respond tab of the Incident Detail modal. A “Run” button is displayed before a OneClick response and a “Undo” button is displayed in its place when reversion is possible. The “Undo” button is inactive when reversion is not possible (e.g. “Reset Password).
Q: What type of incidents have One-Click response available?
A: Incidents that have a severity level of Medium or High.
Q: Why is response not available for Informational and Low severity incidents?
A: First, it is exceedingly rare that an incident categorized as Informational or Low would require any response. Second, it is much more likely that an automated response for an Informational or Low severity incident would create more problems and unnecessary work for the IT / Security team to resolve an “incident” that was not truly an issue.