Automated Response

Automated Response allows you to automatically respond to critical alerts or events, which speeds up response and minimizes the impact scope.

The automated response process runs only when you enable Semi-automation or Full automation.

The process starts when a detection model triggers an alert. Trend Micro Vision One automatically investigates highlighted objects detected by the model, evaluates and analyzes the evidence collected, and further identifies certain objects as "highly suspicious" or "suspicious". Based on the automation settings, Trend Micro Vision One creates response tasks to perform on the associated objects or events.

The following table outlines the settings available on the Automated Response screen.

Object Type

Automation Option

Applicable Action

Suspicious

No automation (default)

Generates alerts but does not run any automated response on the "Suspicious" objects.

-

Semi-automation

Automatically creates response tasks based on the applicable actions but requires your approval to proceed.

  • Collect File

  • Quarantine Message

  • (Optional) Submit to Sandbox Analysis

Full automation

Automatically and immediately creates and executes response tasks based on the applicable actions

  • Collect File

  • Quarantine Message

  • (Optional) Submit to Sandbox Analysis

Highly Suspicious

No automation (default)

Generates alerts but does not run any automated response on the "Highly suspicious" objects.

-

Semi-automation

Automatically creates response tasks based on the applicable actions but requires your approval in the Response Management app to proceed.

  • Add to Block List

  • Collect File

  • Isolate endpoint

  • Quarantine Message

  • (Optional) Submit to Sandbox Analysis

Full automation

Automatically and immediately creates and executes response tasks based on the applicable actions

  • Add to Block List

  • Collect File

  • Isolate endpoint

  • Quarantine Message

  • (Optional) Submit to Sandbox Analysis

Note:

To check the status or number of automated response tasks created for an alert, go to the alert details of Workbench.

To track the execution of each automated response task, go to the Response Management app.