Incident Response as a Service (IRaaS)

Incident Response as a Service (IRaaS) is an Avanan offering in which an Avanan analyst assesses and responds to end-user reports and requests on your organization's behalf, relieving your SOC/Help Desk team of these responsibilities. This service provides uninterrupted 24/7 coverage and adheres to a concise SLA, ensuring a prompt response.

Activating IRaaS

After your purchase order is processed, Avanan automatically initiates IRaaS. Subsequently, an Avanan analyst analyzes all your end-user reports and takes preventive actions.

To purchase IRaaS, contact your Avanan representative.

Acting on End User Reports

The Avanan analysts review the email for these end-user reports, determine if they are malicious or benign, and then take actions if required:

  • Phishing emails reported by the end users
    • Malicious email - The analyst approves the user report, and the reported email is removed from the user's mailbox. To remediate the entire campaign, similar emails are also removed from other users' mailboxes.
    • Benign emails - The analyst rejects the user report, and the email remains in the user's mailbox.
    • Inconclusive - If the analyst cannot determine if the email is malicious or benign, the user report will be approved and the email will be treated as malicious.
  • Quarantined email restore requests by the end users
    • Malicious email - The analyst rejects the request, and the email remains in quarantine.
    • Benign emails - The analyst approves the request, and the email is restored to the user's mailbox.
    • Inconclusive - If the analyst cannot determine if the email is malicious or benign, the user request will be approved and the email will be restored to the user's mailbox.

Automatically Quarantining Entire Phishing Campaigns

When an Avanan analyst approves a user reported phishing email, Avanan detects all the emails in the phishing campaign and quarantines them.

Avanan considers an email as part of a phishing campaign when all these characteristics of the email are identical to the reported email.

  • Subject
  • From address
  • Reply-to address
  • SPF result
  • Location in the email thread - If the email has multiple responses between the sender and the recipient, then the serial number of the response must be identical.

    For example, consider an employee of a protected organization received an email (number 1), replied to it (number 2), and then received another response (number 3) from the sender. Now, if the employee reported this response (serial number 3) as phishing, then only other emails that are 3rd in the thread gets quarantined.

Feedback to End Users

The Avanan analysts add a justification for every decision they make. The administrators can configure Avanan to send email notifications containing the justification for rejected quarantine restore requests and approved or rejected phishing reports.

To configure Avanan to send end-user notifications, see Sending Email Notifications to End Users.

Feedback to Administrators

After activating Incident Response as a Service (IRaaS), the administrators receive a daily email containing a summary of all the reports managed by the Avanan analysts.

The report consists of two sections: one for requests to release emails from quarantine and another for phishing emails reported by the user. These sections show various analyzed emails, along with the analyst's justification.

Finding Reports Handled by Avanan Analysts

To view the emails the Avanan analysts managed, go to User Interaction and access Restore Requests or User Reported Phishing. You'll find:

  • The Action by column with the value Avanan analyst are the emails the Avanan analysts handled.

  • The Action Justification column shows the analyst's reason for the action (approve/decline).

From the Events page, you can view the user-reported phishing events. To filter all events resolved by Avanan analysts:

  1. Go to Events.
  2. Apply the filter Avanan analyst for the Remediated by field.

After opening the security event of an email that was handled by an Avanan analyst, the Email Profile card shows the user comment, action taken and additional details.

Event-Profile-Card

Handling Issues with IRaaS

For any issue with IRaaS, contact Avanan Support.