AgileBlue has the ability to isolate hosts and disable user accounts on Office365 via our API integration. There are several ways to initiate this actions, and users can access the Response page to track their containment history.
Overview
By accessing the Response page in the left-hand dropdown in the AgileBlue SecOps platform, users can initiate and track host isolation and Office365 account disablement history. On this page, users can track which devices are currently isolated, which Office365 accounts are currently disabled, and audit the history of these responsive actions on each device or user account.
From this page, AgileBlue's expert security team – or your admin users – can also initiate responsive actions, even if the host or user is not tied to an active case.
Isolated Hosts
Under the Isolated Hosts section of the Response page, users will be able to view a list of all devices within their tenant that have been previously isolated or are currently isolated. The current status of each Server or Workstation will be represented by the following icons:
– Host was previously isolated
– Host is currently isolated
Selecting the dropdown arrow on the left-hand side of the page will display a full history for the corresponding device including actions performed, the user or analyst who performed the action, the timestamp, and related comments.
Clicking on the red isolated host icon will allow an analyst or user to release the host. Clicking on the white "released" icon will allow the user to re-isolate the host.
Additionally, SOC analysts and admin users can add new hosts for Isolation by clicking the + sign in the right-hand corner of the Isolated Hosts section. You can also isolate a host by navigating to the Data Sources page and selecting the Workstation or Server icon to the left of the host name.
Disabled Office365 Accounts
Under the Office365 Disabled Users section of the Response page, users will have all of the same capabilities and information provided in the Isolated Hosts section. The current status of each user account will be represented by the following icons:
– Account was previously disabled
– Account is currently disabled
Clicking on the red icon will allow an analyst or user to enable the user account. Clicking on the white white icon will allow the user to disable the selected account.
Similar to adding hosts for Isolation, you can also add an Office365 users to be disabled regardless of if they are tied to an active case. To do this, click the + sign on the Office365 Disabled Users section and type in the full username. Once the user has been added to the list, you can select the lock icon shown above to disable or release the user.