When attacks are detected, you can take immediate action to manage or contain the attackers.

To take action on an attack:

1. On the Investigate page, click an attack icon on the alert graph.

   The attacker details pane opens.

   See image.

   

   Close

2. Click Actions.

   A list of actions that you can take to remediate the threat appears.

   See image.

   

   Close

3. Select an action (e.g., select Contain with Check Point Firewall). You can take the following actions:
   • Contain with a third-party solution.

     Forward the attacker's details to the following security tools or services to contain attackers or devices:

     • CrowdStrike Falcon Insight
     • Threat Protection with Okta AI
     • Zscaler Internet Access (ZIA)
     • Zscaler Private Access (ZPA)

     Before forwarding the attacker's details, make sure that you have enabled the settings for these tools on the Containment page. You can also automate containment using orchestration rules, To learn more, see Creating an Orchestration Rule.

     Close
   • Mark an event or attacker as safe.

     This removes the attacker from the default view in the Zscaler ITDR Admin Portal. You can also automate this action using orchestration rules. To learn more, see Creating an Orchestration Rule.

     • When an attacker is marked as safe, it can take up to an hour for the action to be reflected in the ITDR Admin Portal depending on the number of events associated with the attacker.
     • If you mark an attacker’s IP address as safe, all the past events from that attacker are marked as safe. However, any new events from that IP address are generated and displayed on the Zscaler Deception dashboard.

     • To view events that are marked as safe, click the Select Query drop-down menu and enable Show marked as safe.

       See image.

       

       Close

     Close
   • Create a rule to blocklist the attacker's IP from accessing your decoy.
     When you select the blocklist option, you are redirected to the Blocklist page to create the rule.Close
   • Delete an attacker from the Zscaler ITDR Admin Portal.

     When you delete an attacker, the following details associated with the attacker are removed from the ITDR Admin Portal:

     • All events generated by the attacker in the past.
     • ThreatParse associated with the attacker.

     You can also automate deletion using orchestration rules, To learn more, see Creating an Orchestration Rule.

     Tags associated with the attacker are retained.

     Close
4. In the confirmation window, click OK.