Define response actions for a suspicious registry entry

As part of your remediation response to an attack, you can delete suspicious registry entries.

This option is available for registry cyber kill chain nodes.

To delete a suspicious registry entry

1. In the cyber kill chain, click the node you want to remediate.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Delete.

   

4. [Optional] Add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
5. Click Delete.

   The registry entry is deleted. This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.