Define response actions for a suspicious process

As part of your remediation response to an attack, you can apply the following actions to suspicious processes:

To stop a suspicious process

  1. In the cyber kill chain, click the process node you want to remediate.
    Windows critical processes or non-running processes cannot be stopped and are disabled in the cyber kill chain.
  2. In the displayed sidebar, click the Response Actions tab.
  3. In the Remediate section, click Stop process.

  4. Select one of the following:
    • Stop process (stops the specific process)
    • Stop process tree (stops the specific process and all child processes)
  5. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
  6. Click Stop.The process is stopped.
    The related application is closed and any unsaved data will be lost.

    This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.

To quarantine a suspicious process

  1. In the cyber kill chain, click the process node you want to quarantine.
    Windows critical processes cannot be quarantined and are disabled in the cyber kill chain.
  2. In the displayed sidebar, click the Response Actions tab.
  3. In the Remediate section, click Quarantine.

  4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
  5. Click Quarantine.The process is stopped and then quarantined.
    The process is added to and managed in the quarantine section available under antimalware protection.

    This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.

To rollback changes

  1. In the cyber kill chain, click the process node you want to rollback changes for.
    This action is available for detection nodes (shown as red or yellow nodes) only.
  2. In the displayed sidebar, click the Response Actions tab.
  3. In the Remediate section, click Rollback changes.

    The rollback process recovers from items in the local cache only. Rollback from backup archives will be available in future releases.
  4. To view the items affected by the rollback changes, click the Affected items link. The displayed dialog shows all items (files, registry, scheduled tasks) that the rollback will revert and with what action (Delete, Recover, or None). In addition, you can see whether the restored items will be recovered from the local cache or backup recovery points.

  5. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
  6. Click Rollback. The rollback functionality reverts any registry, file or scheduled task changes made by the process in the following steps:
    1. Any new entries (registry, scheduled tasks, files) created by the threat (and its child threats) are deleted.
    2. Any modifications that the threat (and its child threats) made to the registry, scheduled tasks and/or files existing on the workload prior to the attack are reverted.
    3. Rollback tries to recover items from the local cache. For items that cannot be recovered, EDR will automatically recover them from clean backup images.

    The rollback action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.