Creating policies during your investigation

The way that you add an entity to a policy varies depending on the page that you're on.
Method
Steps
On the Incidents details page
  1. Do either of the following:
    • On the Incident graph, right-click on an entity node, and then select the action.
    • On the Actions bar, click
      Add to Deny List
      or
      Add to Allow List
      .
      A dialog box appears. By default, all eligible entities are selected. Un-select the items that you do not want to take action on, and click to confirm that you want to proceed with the action.
On an entity's details page
On the actions bar, click
Add to Deny List
or
Add to Allow List
.
On the
Search > Database > Entities
page
  1. On the row for the entity that you want to take action on, hover over the actions menu.
  2. Select the action that you want to perform.