Ask the Community
Groups
Triage, Review, and Whitelist Results - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="learn-about-rocketcyber-s-powerful-result-review-and-triage-tools">Learn about RocketCyber's powerful result review and triage tools</h2> <h3 data-id="review">Review</h3> <div data-hs-callout-type="tip"> <p>Review and whitelisting can be performed at the MSP, Customer or Device Level</p> </div> <p>Each RocketApp provides an app result or detection whenever a suspicious or malicious event is detected. These app results are aggregated per RocketApp and the counts are displayed on the dashboard as shown below.</p> <p>Click <strong>Review</strong> to begin reviewing the app results for the desired app.</p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/PC6APTFQDOHY/dashboard-shot-png.png" alt="dashboard-shot-png.png" class="embedImage-img importedEmbed-img"></img></figure><p> </p> <div>This is the main triage interface.</div> <div>You can click on <strong>Details</strong> next to any result to get more details about the detected item.</div> <div>Quickly switch between apps using the <strong>Switch App</strong> dropdown in the top right.</div> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/5V9S7CXPU7E4/screen-shot-2020-01-27-at-9-13-27-pm.png" alt="screen-shot-2020-01-27-at-9-13-27-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p>The detail dialog displays important detail information about the detection.</p> <p>You can quickly cycle through the details using the left or right arrow keys or by clicking the arrow in the bottom left or right of the screen.</p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/9SXFB4MQG8WH/screen-shot-2020-01-27-at-9-22-46-pm.png" alt="screen-shot-2020-01-27-at-9-22-46-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p> </p> <p>Search for specific detections using the <strong>Search</strong> feature or the date filters.</p> <p>If you want to view results <em>only for a specific device</em>, click on the device name in the grid. This will change the view to only the results related to that device as shown below.</p> <p> </p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/5V9S7CXPU7E4/screen-shot-2020-01-27-at-9-13-27-pm.png" alt="screen-shot-2020-01-27-at-9-13-27-pm.png" class="embedImage-img importedEmbed-img"></img></figure><h3 data-id="whitelisting">Whitelisting</h3> <p>Most apps support the concept of whitelisting. This allows you to tune the detection results and ignore acceptable risks or known behavior.</p> <p> 1. Select the items from the review list then click the <strong>Action</strong> button.</p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/MJD85QERRPQO/screen-shot-2020-01-27-at-9-25-00-pm.png" alt="screen-shot-2020-01-27-at-9-25-00-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p> 2. After selecting whitelist rules, click <strong>Add</strong>. Select <strong>Remove Existing Results</strong> to delete existing results that match your new whitelist rule.</p> <p> </p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/DE1POJ5N968F/screen-shot-2020-01-27-at-9-34-21-pm.png" alt="screen-shot-2020-01-27-at-9-34-21-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p>Once the items are added to the whitelist they should not be reported in the console from that point forward.</p> <h3 data-id="best-practice">Best Practice</h3> <p>It is best practice to perform triage and review on a daily basis, whitelisting as necessary to get to a steady-state. When app results are no longer needed it is best to delete them using the review interface.</p> </article> </main>