Response Actions

Object-specific actions allow you to directly respond to threats without leaving the Trend Micro Vision One console.

You can take specific actions on events or objects found on the Trend Micro Vision One console. After triggering a response, the Response Management app creates a task and sends the command to the target.

The following tables describe the actions you can take on objects, processes, endpoints, and user accounts.

Table 1. Block List
Action	Description	Managed Agent Support
Add to Block List	Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections Important: Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response. For more information, see Add to Block List Task.	Apex One as a Service Windows Trend Micro Cloud One - Endpoint & Workload Security Windows Linux Cloud App Security Deep Security Software
Remove from Block List	Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response For more information, see Remove from Block List Task.	Apex One as a Service Windows Trend Micro Cloud One - Endpoint & Workload Security Windows Linux Cloud App Security Deep Security Software

Table 2. File and Process
Action	Description	Managed Agent Support
Terminate Process	Terminates the active process and allows you to terminate the process on all affected endpoints For more information, see Terminate Process Task.	Apex One as a Service Windows
Collect File	Compresses the selected file on the endpoint in a password-protected archive and then sends the archive to the Response Management app For more information, see Collect File Sample Task.	Trend Micro Vision One Windows Mac Linux Apex One as a Service Windows Trend Micro Cloud One - Endpoint & Workload Security Windows Linux Mac
Submit for Sandbox Analysis	Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment For more information, see Submit for Sandbox Analysis Task.	Trend Micro Vision One Windows Mac Apex One as a Service Windows Linux Trend Micro Cloud One - Endpoint & Workload Security Windows Linux Mac

Table 3. Email Message
Action	Description	Managed Service Support
Quarantine Message	Moves the selected email message to the quarantine folder and allows you to quarantine the message from all affected mailboxes For more information, see Quarantine Email Message Task.	Cloud App Security
Delete Message	Deletes the selected email message from the selected mailboxes For more information, see Delete Email Message Task.	Cloud App Security

Table 4. Endpoint
Action	Description	Managed Agent Support
Dump Process Memory	Creates an encrypted archive of diagnostic information during a crash to analyze and fix errors Note: Use an external decompression program (such as 7-zip) to extract the file contents.	Trend Micro Vision One Windows Mac
Isolate Endpoint	Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product For more information, see Isolate Endpoint Task.	Trend Micro Vision One Windows Mac Apex One as a Service Windows Trend Micro Cloud One - Endpoint & Workload Security Windows Linux Mac
Restore Connection	Restores network connectivity to an endpoint that already applied the Isolate Endpoint action For more information, see Restore Connection Task.	Trend Micro Vision One Windows Mac Apex One as a Service Windows Trend Micro Cloud One - Endpoint & Workload Security Windows Linux Mac
Start Remote Shell Session	Connects to a monitored endpoint and allows you to execute remote commands or a custom script file for investigation For more information, see Start Remote Shell Session Task.	Trend Micro Vision One Windows Mac Linux Trend Micro Cloud One - Endpoint & Workload Security Windows Mac Linux
Run Remote Custom Script	Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file For more information, see Run Remote Custom Script Task.	Trend Micro Vision One Windows Mac Linux Trend Micro Cloud One - Endpoint & Workload Security Windows Mac Linux

Table 5. Account Enforcement
Action	Description	IAM System
Disable User Account	Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session. Note: Not applicable on accounts assigned the Azure AD Administrator role. For more information, see Disable User Account Task.	Azure AD Active Directory (on-premises)
Enable User Account	Allows the user to sign in to new application and browser sessions. It may take a few minutes for the process to complete. For more information, see Enable User Account Task.	Azure AD Active Directory (on-premises)
Force Sign Out	Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions. For more information, see Force Sign Out Task.	Azure AD
Force Password Reset	Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. It may take a few minutes for the process to complete. For more information, see Force Password Reset Task.	Azure AD Active Directory (on-premises)