Views:

Object-specific actions allow you to directly respond to threats without leaving the Trend Vision One console.

You can take specific actions on events or objects found on the Trend Vision One console. After triggering a response, the Response Management app creates a task and sends the command to the target.
The following tables describe the actions you can take on containers, email messages, endpoints, networks, and user accounts.

User Account / IAM

Action
Description
Supporting Services
Disable User Account
Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session.
Note
Note
Not applicable on accounts assigned the Microsoft Entra ID Administrator role.
For more information, see Disable User Account task.
  • Microsoft Entra ID
  • Active Directory (on-premises)
  • Okta
  • OpenLDAP
Enable User Account
Allows the user to sign in to new application and browser sessions. It may take a few minutes for the process to complete.
For more information, see Enable User Account task.
  • Microsoft Entra ID
  • Active Directory (on-premises)
  • Okta
  • OpenLDAP
Force Password Reset
Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. It may take a few minutes for the process to complete.
For more information, see Force Password Reset task.
  • Microsoft Entra ID
  • Active Directory (on-premises)
  • Okta
  • OpenLDAP
Force Sign Out
Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions.
For more information, see Force Sign Out task.
  • Microsoft Entra ID
  • Okta
Revoke Access Permission
This task revokes the user’s access permission on the AWS Identity and Access Management (IAM) service. After revoking the permission, the user can no longer access any AWS resources. Allow a few minutes for this task to complete.
Important
Important
This feature is only available for customers that have updated to the Foundation Services release.
For more information, see Revoke Access Permission task.
  • AWS

Network

Action
Description
Supporting Services
Add to Block List
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections
Important
Important
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response.
For more information, see Add to Block List task.
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security Software
Collect File
Compresses the selected file detected by the network appliance in a password-protected archive and then sends the archive to the Response Management app
  • Deep Discovery Inspector
Collect Investigation Package
Compresses the selected investigation package that includes OpenIOC files describing Indicators of Compromise identified on the affected host or network in a password-protected archive and then sends the archive to the Response Management app
Important
Important
To execute the Collect Investigation Package action, you must first enable the Virtual Analyzer in Deep Discovery Inspector.
  • Deep Discovery Inspector
Collect Network Analysis Package
Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app
For more information, see Collect Network Analysis Package task.
Important
Important
To execute the Collect Network Analysis Package task, you must first enable the Virtual Analyzer and packet capture function in Deep Discovery Inspector.
Note
Note
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
  • Deep Discovery Inspector
Collect PCAP File
Compresses the selected Packet Capture file in a password-protected archive and then sends the archive to the Response Management app
Note
Note
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above.
Important
Important
To execute the Collect PCAP File action, you must first enable the packet capture function in Deep Discovery Inspector.
  • Deep Discovery Inspector
Remove from Block List
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response
For more information, see Remove from Block List task.
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Discovery Inspector
  • Deep Security Software
Submit for Sandbox Analysis
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment
For more information, see Submit for Sandbox Analysis task.
  • Trend Vision One
    • Windows agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
    • Linux agent
    • Windows agent
    • Linux agent
    • Mac agent
  • Deep Discovery Inspector

Endpoint

Action
Description
Supporting Services
Add to Block List
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections
Important
Important
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response.
For more information, see Add to Block List task.
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Security Software
Collect Evidence
Collects forensic evidence from the specified endpoints and uploads it to the Forensics app.
For more information, see Collect Evidence task.
  • Trend Vision One
    • Windows agent
Collect File
Compresses the selected file on the endpoint in a password-protected archive and then sends the archive to the Response Management app
For more information, see Collect File task.
  • Trend Vision One
    • Windows agent
    • Mac agent
    • Linux agent
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
    • Mac agent
Isolate Endpoint
Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product
For more information, see Isolate Endpoint task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
    • Mac agent
Remove from Block List
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response
For more information, see Remove from Block List task.
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Security Software
Restore Connection
Restores network connectivity to an endpoint that already applied the Isolate Endpoint action
For more information, see Restore Connection task.
  • Trend Vision One
    • Windows agent
    • Linux agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
    • Mac agent
Run osquery
Executes SQL queries using osquery (version 5.7.0) to obtain system information of the specified endpoints.
For more information, see Run osquery task.
  • Trend Vision One
    • Windows agent
Run Remote Custom Script
Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file
For more information, see Run Remote Custom Script task.
  • Trend Vision One
    • Windows agent
    • Mac agent
    • Linux agent
    • Windows agent
    • Mac agent
    • Linux agent
Run YARA rules
Executes custom YARA rules (version 4.2.3) on the specified endpoints.
For more information, see Run YARA Rules task.
  • Trend Vision One
    • Windows agent
Submit for Sandbox Analysis
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment
For more information, see Submit for Sandbox Analysis task.
  • Trend Vision One
    • Windows agent
    • Mac agent
  • Apex One as a Service
    • Windows agent
    • Linux agent
    • Windows agent
    • Linux agent
    • Mac agent
Terminate Process
Terminates the active process and allows you to terminate the process on all affected endpoints
For more information, see Terminate Process task.
  • Apex One as a Service
    • Windows agent
Scan for Malware
Performs a one-time scan on one or more endpoints for file-based threats such as viruses, spyware, and grayware. For more information, see Scan for Malware task.
  • Trend Micro Apex One as a Service
  • Standard Endpoint Protection

Email

Action
Description
Supporting Services
Add to Block List
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections
Important
Important
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response.
For more information, see Add to Block List task.
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Security Software
Delete Message
Deletes the selected email message from the selected mailboxes
For more information, see Delete Message task.
  • Cloud App Security
Quarantine Message
Moves the selected email message to the quarantine folder and allows you to quarantine the message from all affected mailboxes
For more information, see Quarantine Message task.
  • Cloud App Security
Remove from Block List
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response
For more information, see Remove from Block List task.
  • Apex One as a Service
    • Windows agent
    • Windows agent
    • Linux agent
  • Cloud App Security
  • Deep Security Software

Container

Action
Description
Supporting Services
Isolate Container
Allows the user to limit the spread of suspicious processes within a container and investigate the causes by disconnecting the containing pod from relevant networks and preventing data transfer into and out of the pod. For more information, see Isolate Container task.
    Terminate Container
    Stops suspicious behavior of containers within a pod by terminating the containing pod. For more information, see Terminate Container task.
    Important
    Important
    Terminating a pod destroys evidence of the suspicious behavior and does not prevent the behavior from happening again.
      Resume Container
      Resumes containers within a previously isolated pod. For more information, see Resume Container task.