Explore the response actions available to the Managed Services operations team.
Approval not required
The following response actions do not require your approval. The operations team is
automatically authorized to perform these actions on your behalf:
-
Link or unlink Workbench alerts to or from incidents
-
Add exceptions in Suspicious Object Management
-
Add exceptions in Detection Model Management
-
Conduct memory dumps of processes running on endpoints
Note
Process memory dumps on endpoints require remote shell sessions, which you must approve. For instructions on auto approving operations team requests, see Configuring Response Approval Settings.
Automatically approved
You can automate the approval of the following response action requests submitted
by the
operations team. For instructions on enabling auto approval of requests, see Configuring Response Approval Settings.
Critical Actions
|
Response Action Name
|
Description
|
||
|
Add Objects to Block List
|
Adds supported objects such as File SHA-1, URL, IP address, or domain
objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent
detections
|
||
|
Collects detailed evidence from specified endpoints to support threat investigation
and incident response
|
|||
|
Collect Suspicious File Sample
|
Compresses the selected file on the endpoint in a password-protected
archive and then sends the archive to the Response Management app
|
||
|
Disable User Account
|
Signs the user out of all active application and browser sessions of the user account.
It may take a few minutes for the process to complete. Users are prevented from signing
in any new session.
|
||
|
Isolate Endpoint
|
Disconnects the target endpoint from the network, except for
communication with the managing Trend Micro server product
|
||
|
Quarantine Email Message
|
Adds the email address to the Blocked Sender list in Cloud App
Security and quarantines incoming messages
|
||
|
Restore Connection
|
Restores network connectivity to an endpoint that already applied the Isolate Endpoint
action
|
||
|
Scan for Malware
|
Performs a one-time scan on one or more endpoints for file-based threats such as viruses,
spyware, and grayware
|
||
|
Terminate Process
|
Terminates the active process and allows you to terminate the process
on all affected endpoints
|
Recommended Actions
|
Response Action Name
|
Description
|
||
|
Collect Network Analysis Package
|
Compresses the selected network analysis
package (including an investigation package, a PCAP file, and a selected file detected
by
the network appliance) in a password-protected archive and then sends the archive
to the
Response Management app
|
||
|
Configure and Deploy TippingPoint Filter Policy
|
Configures TippingPoint virtual patching filter policies in Intrusion Prevention Configuration and applies the policies on TippingPoint SMS profiles to mitigate CVE risks
|
||
|
Runs SQL-based queries on specified endpoints to support threat investigation and
incident response
|
|||
|
Run Remote Custom Script
|
Connects to a monitored endpoint and executes a previously
uploaded PowerShell or Bash script file
|
||
|
Runs custom YARA rules on specified endpoints to support threat investigation and
incident response
|
|||
|
Start Remote Shell Session
|
Connects to monitored endpoints to remotely execute commands, custom scripts or process
memory dumps for investigation
|
||
|
Submit for Sandbox Analysis
|
Submits the selected file objects for automated analysis in a
sandbox, a secure virtual environment
|