Restart a workload

As part of your remediation response to an attack, EDR enables you to immediately restart a workload, or restart the workload according to a predefined timeout period.

To restart a workload

1. In the cyber kill chain, click the workload node you want to set a restart schedule for.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Remediate section, click Restart workload.

   

4. In the Restart timeout field, click the displayed link, and then select one of the following:
   • Set timeout: In the Restart timeout dialog, set the restart period for the workload, and then click Save.
   • Restart immediately: Select to restart the workload immediately.
5. [Optional] Select the Fail if end-user is logged in check box to ensure the workload is not restarted if the user is logged in.
6. In the Message to display field, add a message to display to users when they access the isolated workload.
7. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
8. Click Restart.

   The workload is set to restart according to the schedule defined. This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.