Explore the response actions available to the Managed Services operations team.
Approval not required
The following response actions do not require your approval. The operations team is
automatically authorized to perform these actions on your behalf:
-
Link or unlink Workbench alerts to or from incidents
-
Add exceptions in Suspicious Object Management
-
Add exceptions in Detection Model Management
-
Conduct memory dumps of processes running on endpoints
Note
Process memory dumps on endpoints require remote shell sessions, which you must approve. For instructions on auto approving operations team requests, see Configuring Response Approval Settings.
Automatically approved
You can automate the approval of the following response action requests submitted
by the
operations team. For instructions on enabling auto approval of requests, see Configuring Response Approval Settings.
Critical Actions
Response Action Name
|
Description
|
||
Add Objects to Block List
|
Adds supported objects such as File SHA-1, URL, IP address, or domain
objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent
detections
|
||
Collects detailed evidence from specified endpoints to support threat
investigation and incident response
|
|||
Run Trend Micro Investigation Kit
|
Deploys and executes the Trend Micro Investigation Kit on selected endpoints | ||
Terminate Process
|
Terminates the active process and allows you to terminate the process
on all affected endpoints
|
||
Collect Suspicious File Sample
|
Compresses the selected file on the endpoint in a password-protected
archive and then sends the archive to the Response Management app
|
||
Isolate Endpoint
|
Disconnects the target endpoint from the network, except for
communication with the managing Trend Micro server product
|
||
Quarantine Email Message
|
Adds the email address to the Blocked Sender list in Cloud App
Security and quarantines incoming messages
|
||
Disable User Account
|
Signs the user out of all active application and browser sessions of the user
account. It may take a few minutes for the process to complete. Users are
prevented from signing in any new session.
|
Recommended Actions
Response Action Name
|
Description
|
||
Submit for Sandbox Analysis
|
Submits the selected file objects for automated analysis in a
sandbox, a secure virtual environment
|
||
Start Remote Shell Session
|
Connects to monitored endpoints to remotely execute
commands, custom scripts or process memory dumps for investigation
|
||
Run Remote Custom Script
|
Connects to a monitored endpoint and executes a previously
uploaded PowerShell or Bash script file
|
||
Runs custom YARA rules on specified endpoints to support threat investigation and
incident response
|
|||
Runs SQL-based queries on specified endpoints to support threat investigation and
incident response
|
|||
Collect Network Analysis Package
|
Compresses the selected network analysis
package (including an investigation package, a PCAP file, and a selected file detected
by
the network appliance) in a password-protected archive and then sends the archive
to the
Response Management app
|
||
Configure and Deploy TippingPoint Filter Policy
|
Configures TippingPoint virtual patching filter policies in Intrusion Prevention Configuration and applies the policies on
TippingPoint SMS profiles to mitigate CVE risks
|