Triage, Review and Whitelist Results

Updated 3 weeks ago by Carl Banzhof

Overview

The RocketCyber console provides a powerful mechanism to review and act on results from RocketApps. We call this process Triage.

Each RocketApp provides an app result or detection whenever a suspicious or malicious event is detected. These app results are aggregated per RocketApp and the counts are displayed on the dashboard as shown below.

Click Review to begin reviewing the app results for the desired app.

Review and Whitelisting can be performed at the MSP, Customer or Device Level

This is the main triage interface. Here you can click on Details next to any result to get more details about the detected item. You can also quickly switch between apps using the Switch App dropdown in the top right.

The detail dialog displays important detail information about the detection. You can quickly cycle through the details using the left or right arrow keys or by clicking the arrow in the bottom left or right of the screen.

You can also search for specific detections using the Search feature or the date filters.

Search within Review will search for specific text within the detection details.

If you want to view results only for a specific device, click on the device name in the Review grid. This will change the view to only the results related to that device as shown below.

Whitelisting

Most apps support the concept of whitelisting. This allows you to tune the detection results and ignore acceptable risks or known behavior.

To whitelist an item, first select the items from the review list then click the Action button.

The Add to Whitelist Screen will be displayed. From here, choose the method of whitelisting. Each app provides different capabilities for whitelisting so the results may be different for your case.

After selecting the whitelist method, click Add. Optionally you can click the Remove Existing Results to delete the results that were added to the whitelist.

Once the items are added to the whitelist they should not be reported in the console from that point forward.

Best Practice

It is best practice to perform triage and review on a daily basis, whitelisting as necessary to get to a steady state. When app results are no longer needed it is best to delete them using the review interface.


How did we do?


Powered by HelpDocs

Powered by HelpDocs