In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts that have attributes in common with the alert you are working on.
You can follow the following recommendations:
Under Qualifying, select Find related alerts by host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Update source column. The host name from the alert you are working on is highlighted in yellow.
Under Qualifying, select Find related alerts by IOC. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Detected column, the name of the IOC file from the alert you are working on.
In the Quick response section, select Isolate <host name>. This opens the network isolation rule creation window.
To create a host isolation rule, enter the following settings:
In the Disable isolation in field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
In the Exceptions to the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
Incoming/Outgoing.
Incoming.
Outgoing.
In the IP field, enter the IP address whose network traffic must not be blocked.
If you selected Incoming or Outgoing, in the Ports field enter the connection ports.
If you want to add more than one exclusion, click Add server and repeat the steps to fill in the Traffic direction, IP and Ports fields.