Define how the Unit 42 Managed Services team operates within your environment by setting a permission level for each response action on each asset type.
The actions permissions matrix on the General tab governs eight response actions. Each action is configured independently for the Server asset type and the Workstation asset type, so stricter control scan be applied to higher-criticality assets.
Permission levels
There are three permission levels to choose from:
Permission level | Description |
|---|---|
Inform | Requires approval from your designated escalation contacts before any action is taken. No action will be performed until approval is received. |
No | Does not authorize our team to perform the specified action in your environment. |
Yes | Authorizes our team to act without prior approval. |
Note
When a permission level is set to Inform, configure at least one entry on the Escalation contacts tab so the Unit 42 Managed Services team can request approval before performing the action.
Response actions
Set the permission level for each of the response actions for Server and Workstation.
Action | Description |
|---|---|
Retrieve endpoint files | Extract files from a managed asset for forensic analysis. |
Initiate live terminal | Open an interactive terminal session on a managed asset for investigation. |
Isolate endpoint | Disconnect a managed asset from the network to contain a threat. |
Run endpoint script | Execute a script on a managed asset for remediation or data collection. |
Destroy file | Permanently delete a file from a managed asset. This action is irreversible. |
Retrieve technical support files | Collect system logs and diagnostic data from a managed asset. |
Terminate process | Stop a running process on a managed asset. |
Quarantine files | Isolate a file to prevent execution while preserving the file for analysis. |
The Unit 42 Managed Services team operates in accordance with the configured permission level for each response action on each asset type. Actions set to Inform trigger an approval request to the escalation contacts before execution. Actions set to No are not performed.