Define response actions for a suspicious file

As part of your remediation response to an attack, you can apply the following actions to suspicious files:

• Delete a file (see below)
• Quarantine a file (see below)
• Add the file to a protection plan allowlist or blocklist (see Add a process, file or network to the protection plan blocklist or allowlist)

To delete a suspicious file

1. In the cyber kill chain, click the file node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Delete.

   

4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
5. Click Delete.

   The file is deleted. This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.

To quarantine a suspicious file

1. In the cyber kill chain, click the file node you want to remediate.
2. In the displayed sidebar, go to Response Actions.
3. In the Remediate section, click Quarantine.

   

4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
5. Click Quarantine.

   The file is quarantined. This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.