Approving or Rejecting Investigation Tasks

The Pending Tasks tab on the Managed Detection and Response screen displays investigation tasks submitted by the Threat Investigation Center that require manual administrator approval. You can view targets and commands for specific tasks, modify selected targets, and approve or reject selected tasks.

For more information about the Threat Investigation Center task commands that display on the Managed Detection and Response screen, see Threat Investigation Center Task Commands.

Tip:

To view the status of Managed Detection and Response task commands, use the Command Tracking screen.

For more information, see Tracking Managed Detection and Response Task Commands.

Important:

Apex Central only retains investigation task information for 90 days after submission by the Threat Investigation Center.
By default, new investigation tasks that are not approved or rejected within 72 hours of receipt by Apex Central will automatically time out.

For more information about investigation task command statuses, see Threat Investigation Center Command Statuses.

Go to Response > Managed Detection and Response.
The Managed Detection and Response screen appears.

Click the Pending Tasks tab.

A table appears and displays a list of investigation tasks with the following information:

Column	Description
Task Description	The task name manually specified by the Threat Investigation Center administrator
Command	The task command to deploy to selected targets For more information about the Threat Investigation Center task commands that display on the Managed Detection and Response screen, see Threat Investigation Center Task Commands.
Targets	The number of targets for the task
Expiration	The local time on the Apex Central server for when the task will expire Important: By default, new investigation tasks that are not approved or rejected within 72 hours of receipt by Apex Central will automatically time out. For more information about investigation task command statuses, see Threat Investigation Center Command Statuses.

To view targets for a pending task, click the right arrow icon (

) next to the Task Description field.

A table appears and displays the following details:

Column	Description
Endpoint	The name of the target endpoint
IP Address	The IP address of the target endpoint
User	The name of the user that last logged on to the target endpoint
Endpoint Sensor Service	The status of the Endpoint Sensor Service on the target endpoint For more information, see Endpoint Sensor Service Statuses. Important: In order for Apex Central to deploy investigation tasks to a specified target, the Endpoint Sensor Service must be enabled on the target.

To approve pending investigation tasks:
1. Select the check box next to the name of each task that you want to approve.
  Note:
  Selecting a check box for a task selects all targets for that task.
2. Click the right arrow icon () next to a task name to modify selected targets for the task.
  Important:
  In order for Apex Central to deploy investigation tasks to a specified target, the Endpoint Sensor Service must be enabled on the target.
  - Select check box(es) next to the target(s) that you want to include.
  - Clear check box(es) next to the target(s) that you want to exclude.
3. Repeat the previous steps for each pending task.
4. Click Approve.
  Approved tasks display on the Task Tracking tab.
  
  For more information, see Tracking Investigation Tasks.
To reject pending investigation tasks:
1. Select the check box next to the name of each task that you want to reject.
  Note:
  Selecting a check box for a task selects all targets for that task.
2. Click the right arrow icon () next to a task name to modify selected targets for the task.
  - Select check box(es) next to the target(s) that you want to include.
  - Clear check box(es) next to the target(s) that you want to exclude.
3. Repeat the previous steps for each pending task.
4. Click Reject.
  Rejected tasks display on the Task Tracking tab.
  
  For more information, see Tracking Investigation Tasks.