Views:

Object-specific actions allow you to directly respond to threats without leaving the Trend Vision One console.

You can take specific actions on events or objects in Trend Vision One. After triggering a response, Response Management creates a task and sends the command to the target.
The following tables describe the actions you can take on containers, email messages, endpoints, networks, and user accounts.
Important
Important
Before using response actions on virtual machines, follow the agent installer deployment instructions. Cloning your own virtual desktop infrastructure (VDI) machines duplicates agent IDs and prevents deployed agents from performing response actions.

General

Action
Description
Supporting Services
Add to Block List
Adds supported objects such as Secure Hash Algorithm 1 (SHA-1), uniform resource locator (URL), internet protocol (IP) address, or domain objects to the user-defined Suspicious Objects List, which blocks the objects on subsequent detections.
Adding an object to the user-defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response.
For more information, see Add to Block List task.
  • Trend Micro Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security
Collect File
Compresses the selected file detected by the network appliance and Trend Vision One in a password-protected archive and then sends the archive to Response Management.
For more information, see Collect File task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • macOS agent
  • Trend Micro Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • macOS agent
  • Deep Discovery Inspector
  • Virtual Network Sensor
Remove from Block List
Removes the File SHA-1, URL, IP address, or Domain object added to the user-defined Suspicious Objects List through the Add to Block List response action.
For more information, see Remove from Block List task.
  • Trend Micro Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security
Submit for Sandbox Analysis
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment.
For more information, see Submit for Sandbox Analysis task.
  • Trend Vision One
    • Windows agent
    • macOS agent
  • Trend Micro Apex One as a Service
    • Windows agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • macOS agent
  • Deep Discovery Inspector
  • Virtual Network Sensor

Container

Action
Description
Supporting Services
Isolate Container
Disconnects the containing pod from relevant networks and prevents data transfer into and out of the pod so the user can limit the spread of suspicious processes within a container and investigate the causes
For more information, see Isolate Container task.
  • Trend Vision One Container Security
Resume Container
Resumes containers within a previously isolated pod.
For more information, see Resume Container task.
  • Trend Vision One Container Security
Terminate Container
Stops suspicious behavior of containers within a pod by terminating the containing pod.
Important
Important
Terminating a pod destroys evidence of the suspicious behavior and does not prevent the behavior from happening again.
For more information, see Terminate Container task.
  • Trend Vision One Container Security

Email

Action
Description
Supporting Services
Delete Message
Deletes the selected email message from the selected mailboxes.
For more information, see Delete Message task.
  • Cloud App Security
Quarantine Message
Moves the selected email message to the quarantine folder and allows you to quarantine the message from all affected mailboxes.
For more information, see Quarantine Message task.
  • Cloud App Security
Restore Message
Restores the selected quarantined email message to the selected mailboxes.
For more information, see Restore Message task.
  • Cloud App Security

Endpoint

Action
Description
Supporting Services
Collect Evidence
Collects forensic evidence from the specified endpoints and uploads the evidence to Forensics.
For more information, see Collect Evidence task.
  • Trend Vision One
    • Windows agent
Dump Process Memory
Directly accesses an endpoint and executes remote shell commands to identify currently running processes that may be causing suspicious activity during an investigation.
Important
Important
The Dump Process Memory action is only triggered by the memdump command through remote shell on endpoints running Windows or macOS.
For more information on supporting services and contexts for use, see Start Remote Shell Session task.
Note
Note
Use an external decompression program to extract the file contents.
  • Trend Vision One
    • Windows agent
    • macOS agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • macOS agent
Isolate Endpoint
Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product.
For more information, see Isolate Endpoint task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • macOS agent
  • Trend Micro Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • macOS agent
Restore Connection
Restores network connectivity to an endpoint that already applied the Isolate Endpoint action.
For more information, see Restore Connection task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • macOS agent
  • Trend Micro Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • macOS agent
Run osquery
Executes SQL queries using osquery (version 5.7.0) to obtain system information of the specified endpoints.
For more information, see Run osquery task.
  • Trend Vision One
    • Windows agent
    • Linux agent
Run Remote Custom Script
Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file.
For more information, see Run Remote Custom Script task.
  • Trend Vision One
    • Windows agent
    • macOS agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • macOS agent
    • Linux agent
Run Trend Micro Investigation Kit
Deploys and executes the Trend Micro Investigation Kit on target endpoints.
Note
Note
Only the Managed Services operations team can initiate Run Trend Micro Investigation Kit tasks, with your approval. You can approve the request or configure auto approval in the Managed Services app.
For more information, see Automatically approve response actions.
  • Trend Vision One Endpoint Sensor
    • Windows agent
Run YARA Rules
Executes custom YARA rules (version 4.2.3) on the specified endpoints.
For more information, see Run YARA Rules task.
  • Trend Vision One
    • Windows agent
    • Linux agent
Scan for Malware
Performs a one-time scan on one or more endpoints for file-based threats such as viruses, spyware, and grayware.
For more information, see Scan for Malware task.
  • Trend Micro Apex One as a Service
  • Standard Endpoint Protection
Start Remote Shell Session
Connects to a monitored endpoint and allows you to execute remote commands or a custom script file for investigation.
For more information, see Start Remote Shell Session task.
  • Trend Vision One
    • Windows agent
    • macOS agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • macOS agent
    • Linux agent
Terminate Process
Terminates the active process and allows you to terminate the process on all affected endpoints.
For more information, see Terminate Process task.
Note
Note
In certain cases, the remote shell kill command can be used to terminate a process, rather than using the Terminate Process task.
For more information on supporting services and contexts for use, see Start Remote Shell Session task.
  • Trend Micro Apex One as a Service
    • Windows agent

Network

Action
Description
Supporting Services
Collect Investigation Package
Compresses the selected investigation package, including OpenIOC files describing Indicators of Compromise identified on the affected host or network, in a password-protected archive and then sends the archive to Response Management.
Important
Important
To execute the Collect Investigation Package action, you must first enable the Virtual Analyzer in Deep Discovery Inspector.
  • Deep Discovery Inspector
Collect Network Analysis Package
Compresses the selected network analysis package, including an investigation package, a packet capture (PCAP) file, and a selected file detected by the network appliance, in a password-protected archive and then sends the archive to Response Management.
Important
Important
To execute the Collect Network Analysis Package task, you must first enable the Virtual Analyzer and packet capture function in Deep Discovery Inspector.
Note
Note
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
For more information, see Collect Network Analysis Package task.
  • Deep Discovery Inspector
Collect PCAP File
Compresses the selected Packet Capture file in a password-protected archive and then sends the archive to Response Management.
Note
Note
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
Important
Important
To execute the Collect PCAP File action, you must first enable the packet capture function in Deep Discovery Inspector.
  • Deep Discovery Inspector

User Account / IAM

Action
Description
Supporting Services
Add to Zscaler Restricted User Group
Adds user accounts with a high risk exposure to the Zscaler-defined restricted user group to allow for Zscaler policy enforcement.
  • Microsoft Entra ID
Disable User Account
Signs the user out of all active application and browser sessions of the user account. This task might take a few minutes to complete. Users are prevented from signing in any new session.
Note
Note
Not applicable on accounts assigned the Microsoft Entra ID Administrator role.
For more information, see Disable User Account task.
  • Active Directory (on-premises)
  • Google Cloud Identity
  • Microsoft Entra ID
  • Okta
  • OpenLDAP
Enable User Account
Allows the user to sign in to new application and browser sessions. This task might take a few minutes to complete.
For more information, see Enable User Account task.
  • Active Directory (on-premises)
  • Google Cloud Identity
  • Microsoft Entra ID
  • Okta
  • OpenLDAP
Force Password Reset
Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. This task might take a few minutes to complete.
For more information, see Force Password Reset task.
  • Active Directory (on-premises)
  • Google Cloud Identity
  • Microsoft Entra ID
  • Okta
  • OpenLDAP
Force Sign Out
Signs the user out of all active application and browser sessions of the user account. This task might take a few minutes to complete. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions.
For more information, see Force Sign Out task.
  • Google Cloud Identity
  • Microsoft Entra ID
  • Okta
Remove from Zscaler Restricted User Group
Removes user accounts from the Zscaler-defined restricted user group.
  • Microsoft Entra ID
Revoke Access Permission
Revokes the user’s access permission on the Amazon Web Services (AWS) Identity and Access Management (IAM) service. After revoking the permission, the user can no longer access any AWS resources. Allow a few minutes for this task to complete.
Important
Important
This feature is only available for customers that have updated to the Foundation Services release.
For more information, see Revoke Access Permission task.
  • AWS