Views:

Object-specific actions allow you to directly respond to threats without leaving the Trend Vision One console.

You can take specific actions on events or objects found on the Trend Vision One console. After triggering a response, the Response Management app creates a task and sends the command to the target.
The following tables describe the actions you can take on containers, email messages, endpoints, networks, and user accounts.
Important
Important
If you intend to perform response actions on virtual machines, ensure that you follow the agent installer deployment instructions carefully. If you clone your own VDI machines, it causes agent IDs to be duplicated and deployed agents cannot perform response actions.

General

Action
Description
Supporting Services
Add to Block List
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections
Note
Note
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response.
For more information, see Add to Block List task.
  • Apex One as a Service
    • Windows agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security Software
Collect File
Compresses the selected file detected by the network appliance in a password-protected archive and then sends the archive to the Response Management app
  • Deep Discovery Inspector
  • Virtual Network Sensor
Remove from Block List
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response
For more information, see Remove from Block List task.
  • Apex One as a Service
    • Windows agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security Software
Submit for Sandbox Analysis
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment
For more information, see Submit for Sandbox Analysis task.
  • Trend Vision One
    • Windows agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
    • Linux agent
  • Deep Discovery Inspector
  • Virtual Network Sensor

Container

Action
Description
Supporting Services
Isolate Container
Allows the user to limit the spread of suspicious processes within a container and investigate the causes by disconnecting the containing pod from relevant networks and preventing data transfer into and out of the pod. For more information, see Isolate Container task.
    Terminate Container
    Stops suspicious behavior of containers within a pod by terminating the containing pod. For more information, see Terminate Container task.
    Important
    Important
    Terminating a pod destroys evidence of the suspicious behavior and does not prevent the behavior from happening again.
      Resume Container
      Resumes containers within a previously isolated pod. For more information, see Resume Container task.

        Email

        Action
        Description
        Supporting Services
        Delete Message
        Deletes the selected email message from the selected mailboxes
        For more information, see Delete Message task.
        • Cloud App Security
        Quarantine Message
        Moves the selected email message to the quarantine folder and allows you to quarantine the message from all affected mailboxes
        For more information, see Quarantine Message task.
        • Cloud App Security
        Restore Message
        Restores the selected quarantined email message to the selected mailboxes
        For more information, see Restore Message task.
        • Cloud App Security

        Endpoint

        Action
        Description
        Supporting Services
        Collect Evidence
        Collects forensic evidence from the specified endpoints and uploads it to the Forensics app.
        For more information, see Collect Evidence task.
        • Trend Vision One
          • Windows agent
        Dump Process Memory
        Directly accesses an endpoint and executes remote shell commands to identify currently running processes that may be causing suspicious activity during an investigation
        Important
        Important
        The Dump Process Memory action is only triggered by the memdump command through remote shell on endpoints running Windows or macOS.
        Note
        Note
        Use an external decompression program (such as 7-zip) to extract the file contents.
        • Trend Vision One
          • Windows agent
          • Mac agent
          • Windows agent
          • Mac agent
        Isolate Endpoint
        Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product
        For more information, see Isolate Endpoint task.
        • Trend Vision One
          • Windows agent
          • Linux agent
          • Mac agent
        • Apex One as a Service
          • Windows agent
        Restore Connection
        Restores network connectivity to an endpoint that already applied the Isolate Endpoint action
        For more information, see Restore Connection task.
        • Trend Vision One
          • Windows agent
          • Linux agent
          • Mac agent
        • Apex One as a Service
          • Windows agent
        Run osquery
        Executes SQL queries using osquery (version 5.7.0) to obtain system information of the specified endpoints.
        For more information, see Run osquery task.
        • Trend Vision One
          • Windows agent
          • Linux agent
        Run Remote Custom Script
        Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file
        For more information, see Run Remote Custom Script task.
        • Trend Vision One
          • Windows agent
          • Mac agent
          • Linux agent
        Run Trend Micro Investigation Kit
        Deploys and executes the Trend Micro Investigation Kit on target endpoints
        Note
        Note
        Only the Managed Services operations team can initiate Run Trend Micro Investigation Kit tasks, with your approval. You can approve the request or configure auto approval in the Managed Services app.
        For more information, see Automatically approved response actions.
        • Trend Vision One Endpoint Sensor
          • Windows agent
        Run YARA rules
        Executes custom YARA rules (version 4.2.3) on the specified endpoints.
        For more information, see Run YARA Rules task.
        • Trend Vision One
          • Windows agent
          • Linux agent
        Scan for Malware
        Performs a one-time scan on one or more endpoints for file-based threats such as viruses, spyware, and grayware. For more information, see Scan for Malware task.
        • Trend Micro Apex One as a Service
        • Standard Endpoint Protection
        Terminate Process
        Terminates the active process and allows you to terminate the process on all affected endpoints
        For more information, see Terminate Process task.
        • Apex One as a Service
          • Windows agent

        Network

        Action
        Description
        Supporting Services
        Collect Investigation Package
        Compresses the selected investigation package that includes OpenIOC files describing Indicators of Compromise identified on the affected host or network in a password-protected archive and then sends the archive to the Response Management app
        Important
        Important
        To execute the Collect Investigation Package action, you must first enable the Virtual Analyzer in Deep Discovery Inspector.
        • Deep Discovery Inspector
        Collect Network Analysis Package
        Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app
        For more information, see Collect Network Analysis Package task.
        Important
        Important
        To execute the Collect Network Analysis Package task, you must first enable the Virtual Analyzer and packet capture function in Deep Discovery Inspector.
        Note
        Note
        The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
        • Deep Discovery Inspector
        Collect PCAP File
        Compresses the selected Packet Capture file in a password-protected archive and then sends the archive to the Response Management app
        Note
        Note
        The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
        Important
        Important
        To execute the Collect PCAP File action, you must first enable the packet capture function in Deep Discovery Inspector.
        • Deep Discovery Inspector

        User Account / IAM

        Action
        Description
        Supporting Services
        Disable User Account
        Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session.
        Note
        Note
        Not applicable on accounts assigned the Microsoft Entra ID Administrator role.
        For more information, see Disable User Account task.
        • Microsoft Entra ID
        • Active Directory (on-premises)
        • Okta
        • OpenLDAP
        Enable User Account
        Allows the user to sign in to new application and browser sessions. It may take a few minutes for the process to complete.
        For more information, see Enable User Account task.
        • Microsoft Entra ID
        • Active Directory (on-premises)
        • Okta
        • OpenLDAP
        Force Password Reset
        Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. It may take a few minutes for the process to complete.
        For more information, see Force Password Reset task.
        • Microsoft Entra ID
        • Active Directory (on-premises)
        • Okta
        • OpenLDAP
        Force Sign Out
        Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions.
        For more information, see Force Sign Out task.
        • Microsoft Entra ID
        • Okta
        Revoke Access Permission
        This task revokes the user’s access permission on the AWS Identity and Access Management (IAM) service. After revoking the permission, the user can no longer access any AWS resources. Allow a few minutes for this task to complete.
        Important
        Important
        This feature is only available for customers that have updated to the Foundation Services release.
        For more information, see Revoke Access Permission task.
        • AWS
        Related information