Bulk Incidents Remediation
The incident response is used to address violated policies which may lead to suspected data breaches such as cyber attacks, security breaches, and more. In order to prevent data breaches, Incident Response provides a systematic approach to recognize and respond to a service disruption or security breach.
To work with bulk remediation for Office 365 groups, see Revoke Collaboration in Office 365 Groups.
Benefits of Remediating Multiple Incidents
Previously, the Policy Incidents page had a restriction of remediating only up to 100 incidents in bulk not beyond that. You can now remediate an unlimited number of incidents simultaneously on the Policy Incidents page without any restrictions by selecting all incidents after applying filters appropriately. The several benefits include:
- Accomplish Bulk Actions. You can perform bulk actions to resolve incidents. To apply bulk actions, see Change the Response for Multiple Incidents and Change the Response for Linked Incidents.
- Experience Improved Handling Efficiency. The efficiency of SOC has been significantly increased by the latest solution, allowing greater ease and efficacy, leading to optimized resource utilization and exceptional outcomes. This saves valuable time and reduces costs associated with incident remediation.
- Ensures Comprehensive Security. Users can address all potential threats promptly which enhances overall security posture.
- View Bulk Action Status Bars. Once you perform bulk remediation, the status bar provides users with a visual indication of the progress of the bulk action. During bulk remediation, the status bar displays a visual representation of the progress of the bulk action to the users. This feature helps to provide feedback to the users on the progress of the bulk update and helps them determine when the operation will be completed. Using status bars can reduce user perception of time, making the process smoother and more efficient. Based on the user's bulk action status, the Policy Incidents page displays the following status bars :
- Progress Bar. It indicates the number of incidents currently being processed with the percentage of progress.
- If the bulk update is in progress, the new bulk actions are disabled until the update is complete. You need to wait for a few minutes to start new bulk actions.
- Error Bar. It indicates the number of incidents that failed to process during the bulk remediation. To check the failed incidents, filter the facets, and retry the bulk remediation process. For details, see View Failed Incidents for Bulk Incident Remediation.
- Completion Bar. It indicates the number of incidents that have been remediated with the percentage of completion.
- Progress Bar. It indicates the number of incidents currently being processed with the percentage of progress.
Change the Response for Multiple Incidents
To change the response of the multiple incidents:
- Go to Incidents > Policy Incidents.
- To narrow your search results on the Policy Incidents table, select the required filters from the Omnibar.
- Select all incidents from the Policy Incidents table and go to Actions > Select Response.
- Select a Response, Status, and Email Template from the menu.
NOTE: The available responses may vary depending on the violation type and the interaction type that triggered the response.
- Click Submit.
The response is validated. If the response is not compatible with the incident, an error message appears. Try choosing a different response.
Once you apply the required response action for multiple incidents, you can view the various status bars on the Policy Incidents page. For details, see View Bulk Action Status Bars.
Change the Response for Linked Incidents
You can change the response for multiple primary incidents to automatically remediate the linked incidents containing the same files. This eliminates the need to manually remediate each linked incident separately, saving time and effort.
For example, a Security Operations Center (SOC) may want to apply remediation actions such as quarantine for multiple DLP incidents with the same files on the Policy Incidents page. To achieve this, the SOC can select Quarantine as the Response to automatically quarantine the same files for multiple DLP incidents concurrently. This enables admins to mitigate linked incidents that contain the same files simultaneously, thereby reducing overall response time and improving operational efficiency in incident management.
To change the response for linked incidents:
- Go to Incidents > Policy Incidents.
- To narrow your search results on the Policy Incidents table, select the required filters from the Omnibar.
- Select the incidents from the Policy Incidents table and go to Actions > Select Response.
- Select a Response, Status, and Email Template from the menu.
NOTE: The available responses may vary depending on the violation type and the interaction type that triggered the response.
- Click Submit.
The response is validated. If the response is not compatible with the incident, an error message appears. Try choosing a different response.
Once you apply the required response action for multiple incidents, you can view the linked incidents that are automatically remediated based on your response action on the Policy Incidents page. For details, see Policy Incidents Page.