Explore the response actions available to the Managed Services operations team.
Approval not required
The following response actions do not require approval. The operations team is automatically
authorized to perform these actions on your behalf:
-
Link or unlink Workbench alerts to incidents
-
Add exceptions in Suspicious Object Management
-
Add exceptions in Detection Model Management
-
Conduct memory dumps of processes running on endpoints
Note
Process memory dumps on endpoints require remote shell sessions which you must approve. To auto approve operations team requests, see Configure response approval settings.
Automatically approve
You can automate the approval of the following response action requests submitted
by the operations team. For instructions on enabling auto approval of requests, see
Configure response approval settings.
Critical Actions
|
Response Action Name
|
Description
|
||
|
Adds supported objects such as Secure Hash Algorithm 1 (SHA-1), uniform resource locator
(URL), internet protocol (IP) address, or domain objects to the user-defined Suspicious
Object List, which blocks the objects on subsequent detections.
|
|||
|
Collects detailed evidence from specified endpoints to support threat investigation
and incident response
|
|||
|
Compresses the selected file detected by the network appliance and Trend Vision One in a password-protected archive and then sends the archive to Response Management.
|
|||
|
Signs the user out of all active application and browser sessions of the user account.
This task might take a few minutes to complete. This also prevents users from signing
in to any new session.
|
|||
|
Disconnects the target endpoint from the network, except for communication with the
managing Trend Micro server product.
|
|||
|
Adds the email address to the Blocked Sender list in Cloud App Security and quarantines incoming messages.
|
|||
|
Restores network connectivity to an endpoint that already applied the Isolate Endpoint
action.
|
|||
|
Performs a one-time scan on one or more endpoints for file-based threats such as viruses,
spyware, and grayware.
|
|||
|
Terminates the active process and allows you to terminate the process on all affected
endpoints.
|
Recommended Actions
|
Response Action Name
|
Description
|
||
|
Compresses the selected network analysis package, including an investigation package,
a packet capture (PCAP) file, and a selected file detected by the network appliance,
in a password-protected archive and then sends the archive to Response Management.
|
|||
|
Configure and Deploy TippingPoint Filter Policy
|
Configures TippingPoint virtual patching filter policies in Intrusion Prevention Configuration and applies the policies on TippingPoint SMS profiles to mitigate common vulnerabilities
and exposures (CVE) risks.
|
||
|
Runs SQL-based queries on specified endpoints to support threat investigation and
incident response
|
|||
|
Connects to a monitored endpoint and executes a previously uploaded PowerShell or
Bash script file.
|
|||
|
Runs custom YARA rules on specified endpoints to support threat investigation and
incident response
|
|||
|
Connects to monitored endpoints to remotely execute commands, custom scripts or process
memory dumps for investigation.
|
|||
|
Submits the selected file objects for automated analysis in a sandbox, a secure virtual
environment.
|