Views:

Object-specific actions allow you to directly respond to threats without leaving the Trend Vision One console.

You can take specific actions on events or objects found on the Trend Vision One console. After triggering a response, the Response Management app creates a task and sends the command to the target.
The following tables describe the actions you can take on containers, email messages, endpoints, networks, and user accounts.
Important
Important
If you intend to perform response actions on virtual machines, ensure that you follow the agent installer deployment instructions carefully. If you clone your own VDI machines, it causes agent IDs to be duplicated and deployed agents cannot perform response actions.

General

Action
Description
Supporting Services
Add to Block List
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections
Note
Note
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response.
For more information, see Add to Block List task.
  • Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security Software
Collect File
Compresses the selected file detected by the network appliance in a password-protected archive and then sends the archive to the Response Management app
  • Trend Vision One
    • Windows agent
    • Linux agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • Mac agent
  • Deep Discovery Inspector
  • Virtual Network Sensor
Remove from Block List
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response
For more information, see Remove from Block List task.
  • Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security Software
Submit for Sandbox Analysis
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment
For more information, see Submit for Sandbox Analysis task.
  • Trend Vision One
    • Windows agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • Mac agent
  • Deep Discovery Inspector
  • Virtual Network Sensor

Container

Action
Description
Supporting Services
Isolate Container
Allows the user to limit the spread of suspicious processes within a container and investigate the causes by disconnecting the containing pod from relevant networks and preventing data transfer into and out of the pod. For more information, see Isolate Container task.
  • Trend Vision One Container Security
Terminate Container
Stops suspicious behavior of containers within a pod by terminating the containing pod. For more information, see Terminate Container task.
Important
Important
Terminating a pod destroys evidence of the suspicious behavior and does not prevent the behavior from happening again.
  • Trend Vision One Container Security
Resume Container
Resumes containers within a previously isolated pod. For more information, see Resume Container task.
  • Trend Vision One Container Security

Email

Action
Description
Supporting Services
Delete Message
Deletes the selected email message from the selected mailboxes
For more information, see Delete Message task.
  • Cloud App Security
Quarantine Message
Moves the selected email message to the quarantine folder and allows you to quarantine the message from all affected mailboxes
For more information, see Quarantine Message task.
  • Cloud App Security
Restore Message
Restores the selected quarantined email message to the selected mailboxes
For more information, see Restore Message task.
  • Cloud App Security

Endpoint

Action
Description
Supporting Services
Collect Evidence
Collects forensic evidence from the specified endpoints and uploads it to the Forensics app.
For more information, see Collect Evidence task.
  • Trend Vision One
    • Windows agent
Dump Process Memory
Directly accesses an endpoint and executes remote shell commands to identify currently running processes that may be causing suspicious activity during an investigation
Important
Important
The Dump Process Memory action is only triggered by the memdump command through remote shell on endpoints running Windows or macOS.
Note
Note
Use an external decompression program (such as 7-zip) to extract the file contents.
  • Trend Vision One
    • Windows agent
    • Mac agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Mac agent
Isolate Endpoint
Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product
For more information, see Isolate Endpoint task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • Mac agent
Restore Connection
Restores network connectivity to an endpoint that already applied the Isolate Endpoint action
For more information, see Restore Connection task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • Mac agent
Run osquery
Executes SQL queries using osquery (version 5.7.0) to obtain system information of the specified endpoints.
For more information, see Run osquery task.
  • Trend Vision One
    • Windows agent
    • Linux agent
Run Remote Custom Script
Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file
For more information, see Run Remote Custom Script task.
  • Trend Vision One
    • Windows agent
    • Mac agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Mac agent
    • Linux agent
Run Trend Micro Investigation Kit
Deploys and executes the Trend Micro Investigation Kit on target endpoints
Note
Note
Only the Managed Services operations team can initiate Run Trend Micro Investigation Kit tasks, with your approval. You can approve the request or configure auto approval in the Managed Services app.
For more information, see Automatically approved response actions.
  • Trend Vision One Endpoint Sensor
    • Windows agent
Run YARA rules
Executes custom YARA rules (version 4.2.3) on the specified endpoints.
For more information, see Run YARA Rules task.
  • Trend Vision One
    • Windows agent
    • Linux agent
Scan for Malware
Performs a one-time scan on one or more endpoints for file-based threats such as viruses, spyware, and grayware. For more information, see Scan for Malware task.
  • Trend Micro Apex One as a Service
  • Standard Endpoint Protection
Start Remote Shell Session
Connects to a monitored endpoint and allows you to execute remote commands or a custom script file for investigation
For more information, see Start Remote Shell Session task.
  • Trend Vision One
    • Windows agent
    • Mac agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Mac agent
    • Linux agent
Terminate Process
Terminates the active process and allows you to terminate the process on all affected endpoints
For more information, see Terminate Process task.
Note
Note
In certain cases, the remote shell kill command can be used to terminate a process, rather than using the Terminate Process task.
For more information on supporting services and contexts for use, see Start Remote Shell Session task.
  • Apex One as a Service
    • Windows agent

Network

Action
Description
Supporting Services
Collect Investigation Package
Compresses the selected investigation package that includes OpenIOC files describing Indicators of Compromise identified on the affected host or network in a password-protected archive and then sends the archive to the Response Management app
Important
Important
To execute the Collect Investigation Package action, you must first enable the Virtual Analyzer in Deep Discovery Inspector.
  • Deep Discovery Inspector
Collect Network Analysis Package
Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app
For more information, see Collect Network Analysis Package task.
Important
Important
To execute the Collect Network Analysis Package task, you must first enable the Virtual Analyzer and packet capture function in Deep Discovery Inspector.
Note
Note
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
  • Deep Discovery Inspector
Collect PCAP File
Compresses the selected Packet Capture file in a password-protected archive and then sends the archive to the Response Management app
Note
Note
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
Important
Important
To execute the Collect PCAP File action, you must first enable the packet capture function in Deep Discovery Inspector.
  • Deep Discovery Inspector

User Account / IAM

Action
Description
Supporting Services
Disable User Account
Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session.
Note
Note
Not applicable on accounts assigned the Microsoft Entra ID Administrator role.
For more information, see Disable User Account task.
  • Microsoft Entra ID
  • Active Directory (on-premises)
  • Okta
  • OpenLDAP
Enable User Account
Allows the user to sign in to new application and browser sessions. It may take a few minutes for the process to complete.
For more information, see Enable User Account task.
  • Microsoft Entra ID
  • Active Directory (on-premises)
  • Okta
  • OpenLDAP
Force Password Reset
Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. It may take a few minutes for the process to complete.
For more information, see Force Password Reset task.
  • Microsoft Entra ID
  • Active Directory (on-premises)
  • Okta
  • OpenLDAP
Force Sign Out
Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions.
For more information, see Force Sign Out task.
  • Microsoft Entra ID
  • Okta
Revoke Access Permission
Revokes the user’s access permission on the AWS Identity and Access Management (IAM) service. After revoking the permission, the user can no longer access any AWS resources. Allow a few minutes for this task to complete.
Important
Important
This feature is only available for customers that have updated to the Foundation Services release.
For more information, see Revoke Access Permission task.
  • AWS
Add to Zscaler Restricted User Group
Adds user accounts with a high risk exposure to the Zscaler-defined restricted user group to allow for Zscaler policy enforcement
For more information, see Add to Zscaler Restricted User Group task.
  • Microsoft Entra ID
Remove from Zscaler Restricted User Group
Removes user accounts from the Zscaler-defined restricted user group
For more information, see Remove from Zscaler Restricted User Group task.
  • Microsoft Entra ID
Related information