Object-specific actions allow you to directly respond to threats without leaving the Trend Vision One console.
You can take specific actions on events or objects in Trend Vision One. After triggering a response, Response Management creates a task and sends the command
to the target.
The following tables describe the actions you can take on containers,
email messages, endpoints, networks, and user accounts.
 |
ImportantBefore using response actions on virtual machines, follow the agent installer deployment instructions. Cloning your own virtual desktop infrastructure (VDI) machines duplicates agent
IDs and prevents deployed agents from performing response actions.
|
General
|
Action
|
Description
|
Supporting Services
|
|
Add to Block List
|
Adds supported objects such as Secure Hash Algorithm 1 (SHA-1), uniform resource locator
(URL), internet protocol (IP) address, or domain objects to the user-defined Suspicious
Objects List, which blocks the objects on subsequent detections.
Adding an object to the user-defined Suspicious Objects List does not terminate any
active processes or connections to the object. To terminate active processes, ensure
that you also trigger the Terminate response.
For more information, see Add to Block List task.
|
|
|
Collect File
|
Compresses the selected file detected by the network appliance and Trend Vision One in a password-protected archive and then sends the archive to Response Management.
For more information, see Collect File task.
|
|
|
Remove from Block List
|
Removes the File SHA-1, URL, IP address, or Domain object added to the user-defined
Suspicious Objects List through the Add to Block List response action.
For more information, see Remove from Block List task.
|
|
|
Submit for Sandbox Analysis
|
Submits the selected file objects for automated analysis in a sandbox, a secure virtual
environment.
For more information, see Submit for Sandbox Analysis task.
|
|
Container
|
Action
|
Description
|
Supporting Services
|
||
|
Isolate Container
|
Disconnects the containing pod from relevant networks and prevents data transfer into
and out of the pod so the user can limit the spread of suspicious processes within
a container and investigate the causes
For more information, see Isolate Container task.
|
|
||
|
Resume Container
|
Resumes containers within a previously isolated pod.
For more information, see Resume Container task.
|
|
||
|
Terminate Container
|
Stops suspicious behavior of containers within a pod by terminating the containing
pod.
For more information, see Terminate Container task.
|
|
|
Action
|
Description
|
Supporting Services
|
|
Delete Message
|
Deletes the selected email message from the selected mailboxes.
For more information, see Delete Message task.
|
|
|
Quarantine Message
|
Moves the selected email message to the quarantine folder and allows you to quarantine
the message from all affected mailboxes.
For more information, see Quarantine Message task.
|
|
|
Restore Message
|
Restores the selected quarantined email message to the selected mailboxes.
For more information, see Restore Message task.
|
|
Endpoint
|
Action
|
Description
|
Supporting Services
|
||||
|
Collect Evidence
|
Collects forensic evidence from the specified endpoints and uploads the evidence to
Forensics.
For more information, see Collect Evidence task.
|
|
||||
|
Dump Process Memory
|
Directly accesses an endpoint and executes remote shell commands to identify currently
running processes that may be causing suspicious activity during an investigation.
|
|
||||
|
Isolate Endpoint
|
Disconnects the target endpoint from the network, except for communication with the
managing Trend Micro server product.
For more information, see Isolate Endpoint task.
|
|
||||
|
Restore Connection
|
Restores network connectivity to an endpoint that already applied the Isolate Endpoint
action.
For more information, see Restore Connection task.
|
|
||||
|
Run osquery
|
Executes SQL queries using osquery (version 5.7.0) to obtain system information of
the specified endpoints.
For more information, see Run osquery task.
|
|
||||
|
Run Remote Custom Script
|
Connects to a monitored endpoint and executes a previously uploaded PowerShell or
Bash script file.
For more information, see Run Remote Custom Script task.
|
|
||||
|
Run Trend Micro Investigation Kit
|
Deploys and executes the Trend Micro Investigation Kit on target endpoints.
For more information, see Automatically approve response actions.
|
|
||||
|
Run YARA Rules
|
Executes custom YARA rules (version 4.2.3) on the specified endpoints.
For more information, see Run YARA Rules task.
|
|
||||
|
Scan for Malware
|
Performs a one-time scan on one or more endpoints for file-based threats such as viruses,
spyware, and grayware.
For more information, see Scan for Malware task.
|
|
||||
|
Start Remote Shell Session
|
Connects to a monitored endpoint and allows you to execute remote commands or a custom
script file for investigation.
For more information, see Start Remote Shell Session task.
|
|
||||
|
Terminate Process
|
Terminates the active process and allows you to terminate the process on all affected
endpoints.
For more information, see Terminate Process task.
|
|
Network
|
Action
|
Description
|
Supporting Services
|
||||
|
Collect Investigation Package
|
Compresses the selected investigation package, including OpenIOC files describing
Indicators of Compromise identified on the affected host or network, in a password-protected
archive and then sends the archive to Response Management.
|
|
||||
|
Collect Network Analysis Package
|
Compresses the selected network analysis package, including an investigation package,
a packet capture (PCAP) file, and a selected file detected by the network appliance,
in a password-protected archive and then sends the archive to Response Management.
For more information, see Collect Network Analysis Package
task.
|
|
||||
|
Collect PCAP File
|
Compresses the selected Packet Capture file in a password-protected archive and then
sends the archive to Response Management.
|
|
User Account / IAM
|
Action
|
Description
|
Supporting Services
|
||
|
Add to Zscaler Restricted User Group
|
Adds user accounts with a high risk exposure to the Zscaler-defined restricted user
group to allow for Zscaler policy enforcement.
For more information, see Add to Zscaler Restricted User Group
task.
|
|
||
|
Disable User Account
|
Signs the user out of all active application and browser sessions of the user account.
This task might take a few minutes to complete. Users are prevented from signing in
any new session.
For more information, see Disable User Account task.
|
|
||
|
Enable User Account
|
Allows the user to sign in to new application and browser sessions. This task might
take a few minutes to complete.
For more information, see Enable User Account task.
|
|
||
|
Force Password Reset
|
Signs the user out of all active application and browser sessions, and forces the
user to create a new password during the next sign-in attempt. This task might take
a few minutes to complete.
For more information, see Force Password Reset task.
|
|
||
|
Force Sign Out
|
Signs the user out of all active application and browser sessions of the user account.
This task might take a few minutes to complete. Users are not prevented from immediately
signing back in the closed sessions or signing in new sessions.
For more information, see Force Sign Out task.
|
|
||
|
Remove from Zscaler Restricted User Group
|
Removes user accounts from the Zscaler-defined restricted user group.
For more information, see Remove from Zscaler Restricted User Group
task.
|
|
||
|
Revoke Access Permission
|
Revokes the user’s access permission on the Amazon Web Services (AWS) Identity and
Access Management (IAM) service. After revoking the permission, the user can no longer
access any AWS resources. Allow a few minutes for this task to complete.
For more information, see Revoke Access Permission task.
|
|