Ability to remove enforcement of a policy.
in progress
S
Scott Riley
marked this post as
in progress
S
Scott Riley
Hey Seth, thanks for checking out ISPM! For Security Controls, you can revert/rollback the setting to it's previous state.
So if we've enforced something with ISPM, you can go to the Manage page, hit the Action menu and you will find a Revert option there.
You probably did miss it in the UI but that's on us! Right now the Action menu is hidden if Continuous Enforcement is turned on. So if you toggle Continous Enforcement off, then the Action Menu should appear (see screenshot).
We're going to update the UI experience here to not hide the button.
S
Seth Mayland
Scott Riley Thanks!
I think I glossed right over that option. I had enabled a Conditional Access policy as a test and then removed the policy from the tenant, which ended up creating an issue where I continued receiving High Severity ISPM alerts for the removed policy.
The only remediation ISPM offered was to reapply the policy, even though I did not want to reapply the policy. Continuous enforcement was not enabled, and I tried a few different ways to clear it; resolving the recommendation, then disabling ISPM on the tenant, followed by removing the policy directly in the tenant, and then re‑enabling ISPM, but every time ISPM ran again, the alert would regenerate. It felt like ISPM was holding onto a stale reference to a Conditional Access policy that had already been removed. What finally worked was disabling ISPM on the tenant and leaving it off overnight. After re‑enabling ISPM this morning, the alerts seemed to have stopped regenerating. I guess giving ISPM enough time to fully reset and drop the orphaned policy reference allowed the tenant posture to re‑baseline correctly. I'll do some more tests in a bit to see if just disabling the policy within ISPM would have saved me a bunch of time!
Super appreciate the Huntress team and this new tool! Great add!