I hope the Part – I of Selective Asset/Threat Analysis was useful to you.
Now let us see how to use this feature in a cool way – through Queries/Server Tasks, Automatic Response System, and Default MRA Scheduled Runs.
Queries & Server Task
1.Create a new Risk Advisor query of Result type ‘Threats’ and Display Type ‘Table’ and filter say Vendor equals Microsoft and save it.
2.Similarly, create a query of result type ‘Managed Systems’ and Display Type ‘Table’ and filter of your choice like all systems whose Asset Criticality is Critical or Most Critical and save it.
3.Create a new Server Task and select the action as ‘Run Query’. Choose the query created in the above steps and select the sub action as ‘Disable or Enable Threats or Assets’ and select the required ‘Analysis State’ and Save it.
Automatic Response System:
The server task in the previous section can be run as part of ARS after say Threat Reconciliation End event. The steps shown below will help you accomplish this.
1.Create a response of Event Group ‘Risk Advisor Threat Events’ and Event Type ‘Threat Reconciliation End’
2.Choose the action as ‘Execute Scheduled Task’ and select the server task created in the previous section.
·But, one caveat here is - if the default task is running and this server task is kicked off by ARS then there might be synchronization issues like Threat Asset Coverage Analysis task kicking off before the above task could complete.
·So have a better way? Yes we do. We suggest you follow the next section.
Default MRA Server Task
·One better way is to include the run query action in the MRA default task as illustrated below