Executing an Automated Threat Response Plan Using Arlie Recover

You can use Arlie Recover to execute an automated threat response plan to review critical or high-risk virtual machines flagged by threat detection, and automatically initiate an orchestrated cyber restore workflow.

Prerequisites

• The Arlie Recover additional setting must be enabled (see note above).

• A Threat Scan or Threat Analysis job must have run and detected anomalies or threats on the virtual machines.

• You must have access to Threat Scan (Security Services > Threat Scan).

• A destination hypervisor must be available to serve as the restore target.

• For complete clean room setup requirements, see Cleanroom recovery: Isolated recovery environments (IREs) for cyber resilience.

Activating Arlie Recover for Cyber Recovery

1. Go to the Threat Scan dashboard.

2. Click View Response Plans (highlighted in red, below):

   

   The Threat response plans page appears. The Suggested response plans tab shows recommendations for resources that are critically affected:

Reviewing and Approving Recovery Actions

1. For the affected virtual server, click the Action button , and then click Review & execute.

   The Security Agent Workspace wizard appears:

2. Select a data aging option.

   For example, you can disable data aging for 90 days, set a custom duration, or leave the data aging settings untouched.

3. Click Next.

4. Select the Automatic restore point option.

   This option allows the system to automatically pick the most recent clean version for the restore.

5. Click Next.

Clean Room and Runbook Configuration

1. Select Create a new Cleanroom target.

2. In the Cleanroom name box, enter a name for the clean room.

   Warning

   The clean room name that you enter dictates the name of the generated runbook.

3. In the Target name box, enter a name for the target.

4. From the Destination hypervisor list, select the destination where the virtual machine will be restored.

5. Click Next.

Executing the Response Plan

1. Leave the recommended validation tools enabled.

   By default, the options to run Threat Scan and Windows Defender after the restore job are enabled.

2. Click Next.

3. Review the configuration details.

4. Click Execute.

   Backend automation will create the clean room site, generate the runbook, and run the restore job.

Retrying Executed Plans

If a response plan has already been executed for a virtual machine, you can retry it to access the setup screens again without generating new anomalies.

1. From the Threat response plans page, click the Executed response plans tab.

2. For the plan that you want to retry, click the Action button , and then select Retry.