I keep receiving text and email alerts for a published threat. I have acknowledged the threat, marked it as will not be remediated but I get a text and an email every so often that the playbook needs action. I click on the link, it takes me to the threat but from what I can tell there is nothing for me to do.
When you add a playbook action that requires human approval, you must approve the action(s) on the timeline. In this case, there are three playbook actions that were added that require human approval:
- Isolate the Endpoint
- Delete Registry Entries Marked as Indicators of Compromise
- Delete/Capture Files (IOC)
Click on the "..." to expand the action(s).
Select the action that you would like to perform:
After the action(s) are resolved, you should no longer receive a notification for this threat.