Explore the response actions available to the Managed Services operations team.
Approval not required
The following response actions do not require approval. The operations team is automatically
authorized to perform these actions on your behalf:
-
Link or unlink Workbench alerts to incidents
-
Add exceptions in Suspicious Object Management
-
Add exceptions in Detection Model Management
-
Conduct memory dumps of processes running on endpoints
Note
Process memory dumps on endpoints require remote shell sessions which you must approve. To auto approve operations team requests, see Configuring Response Approval Settings.
Automatically approve
You can automate the approval of the following response action requests submitted
by the
operations team. For instructions on enabling auto approval of requests, see Configuring Response Approval Settings.
Critical Actions
|
Response Action Name
|
Description
|
||
|
Add Objects to Block List
|
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the
User-Defined Suspicious Objects List, which blocks the objects on subsequent detections.
|
||
|
Collects detailed evidence from specified endpoints to support threat investigation
and incident response
|
|||
|
Collect Suspicious File Sample
|
Compresses the selected file on the endpoint in a password-protected archive and then
sends the archive to Response Management.
|
||
|
Disable User Account
|
Signs the user out of all active application and browser sessions of the user account.
This task might take a few minutes to complete. Users are prevented from signing in
to any new session.
|
||
|
Isolate Endpoint
|
Disconnects the target endpoint from the network, except for communication with the
managing Trend Micro server product.
|
||
|
Quarantine Email Message
|
Adds the email address to the Blocked Sender list in Cloud App Security and quarantines
incoming messages.
|
||
|
Restore Connection
|
Restores network connectivity to an endpoint that already applied the Isolate Endpoint
action.
|
||
|
Scan for Malware
|
Performs a one-time scan on one or more endpoints for file-based threats such as viruses,
spyware, and grayware.
|
||
|
Terminate Process
|
Terminates the active process and allows you to terminate the process on all affected
endpoints.
|
Recommended Actions
|
Response Action Name
|
Description
|
||
|
Collect Network Analysis Package
|
Compresses the selected network analysis package (including an investigation package,
a PCAP file, and a selected file detected by the network appliance) in a password-protected
archive and then sends the archive to Response Management.
|
||
|
Configure and Deploy TippingPoint Filter Policy
|
Configures TippingPoint virtual patching filter policies in Intrusion Prevention Configuration and applies the policies on TippingPoint SMS profiles to mitigate CVE risks.
|
||
|
Runs SQL-based queries on specified endpoints to support threat investigation and
incident response
|
|||
|
Run Remote Custom Script
|
Connects to a monitored endpoint and executes a previously uploaded PowerShell or
Bash script file.
|
||
|
Runs custom YARA rules on specified endpoints to support threat investigation and
incident response
|
|||
|
Start Remote Shell Session
|
Connects to monitored endpoints to remotely execute commands, custom scripts or process
memory dumps for investigation.
|
||
|
Submit for Sandbox Analysis
|
Submits the selected file objects for automated analysis in a sandbox, a secure virtual
environment.
|