For PLUS and PRO subscribers, AgileBlue has the ability to isolate hosts as well as disable user accounts on Office365 via our API integration. Users can access the Response page to track these actions.
Overview
As AgileBlue adds additional response capabilities via the Cerulean Agent, a Response page has been added to the SOC Management Portal. On this page, users can track which devices are currently isolated, which Office365 accounts are currently disabled, and audit the history of these responsive actions on each device or user account.
From this page, AgileBlue's expert security team can also re-isolate or release devices from isolation, disable listed user accounts, and re-enable them.
Isolated Hosts
Under the Isolated Hosts section of the Response page, users will be able to view a list of all devices within their tenant that have been previously isolated or are currently isolated. The current status of each Server or Workstation will be represented by the following icons:
– Host was previously isolated
– Host is currently isolated
Selecting the dropdown arrow on the left-hand side of the page will display a full history for the corresponding device including actions performed, the user or analyst who performed the action, the timestamp, and related comments.
Clicking on the red isolated host icon will allow an analyst or user to release the host. Clicking on the white "released" icon will allow the user to re-isolate the host.
Disabled Office365 Accounts
Under the Office365 Disabled Users section of the Response page, users will have all of the same capabilities and information provided in the Isolated Hosts section. The current status of each user account will be represented by the following icons:
– Account was previously disabled
– Account is currently disabled
Clicking on the red icon will allow an analyst or user to enable the user account. Clicking on the white white icon will allow the user to disable the selected account.