Response Actions
Object-specific actions allow you to directly respond to threats without leaving the Trend Vision One console.
You can take specific actions on events or objects found on the Trend Vision One console. After triggering a response, the Response Management app creates a task and sends the command to the target.
The following tables describe the actions you can take on users, networks, endpoints, and email messages.
|
Action |
Description |
Supported Services |
|---|---|---|
|
Disable User Account |
Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session. Note:
Not applicable on accounts assigned the Azure AD Administrator role. For more information, see Disable User Account Task. |
|
|
Enable User Account |
Allows the user to sign in to new application and browser sessions. It may take a few minutes for the process to complete. For more information, see Enable User Account Task. |
|
|
Force Password Reset |
Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt. It may take a few minutes for the process to complete. For more information, see Force Password Reset Task. |
|
|
Force Sign Out |
Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions. For more information, see Force Sign Out Task. |
|
|
Action |
Description |
Supported Services |
|---|---|---|
|
Add to Block List |
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections Important:
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response. For more information, see Add to Block List Task. |
|
|
Collect File |
Compresses the selected file detected by the network appliance in a password-protected archive and then sends the archive to the Response Management app |
|
|
Collect Investigation Package |
Compresses the selected investigation package that includes OpenIOC files describing Indicators of Compromise identified on the affected host or network in a password-protected archive and then sends the archive to the Response Management app Important:
To execute the Collect Investigation Package action, you must first enable the Virtual Analyzer in Deep Discovery Inspector. |
|
|
Collect Network Analysis Package |
Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app For more information, see Collect Network Analysis Package Task. Important:
To execute the Collect Network Analysis Package task, you must first enable the Virtual Analyzer and packet capture function in Deep Discovery Inspector. Note:
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above. |
|
|
Collect PCAP File |
Compresses the selected Packet Capture file in a password-protected archive and then sends the archive to the Response Management app Note:
The Collect PCAP File action only supports Deep Discovery Inspector 6.5 or above. Important:
To execute the Collect PCAP File action, you must first enable the packet capture function in Deep Discovery Inspector. |
|
|
Remove from Block List |
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response For more information, see Remove from Block List Task. |
|
|
Submit for Sandbox Analysis |
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment For more information, see Submit for Sandbox Analysis Task. |
|
|
Action |
Description |
Supported Services |
|---|---|---|
|
Add to Block List |
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections Important:
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response. For more information, see Add to Block List Task. |
|
|
Collect Evidence |
Collects forensic evidence from the specified endpoints and uploads it to the Forensics and Analysis app. For more information, see Collect Evidence Task. |
|
|
Collect File |
Compresses the selected file on the endpoint in a password-protected archive and then sends the archive to the Response Management app For more information, see Collect File Sample Task. |
|
|
Dump Process Memory |
Directly accesses an endpoint and executes remote shell commands to identify currently running processes that may be causing suspicious activity during an investigation Important:
The Dump Process Memory action is only triggered by the memdump command through remote shell on endpoints running Windows or macOS. Note:
Use an external decompression program (such as 7-zip) to extract the file contents. |
|
|
Isolate Endpoint |
Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product For more information, see Isolate Endpoint Task. |
|
|
Remove from Block List |
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response For more information, see Remove from Block List Task. |
|
|
Restore Connection |
Restores network connectivity to an endpoint that already applied the Isolate Endpoint action For more information, see Restore Connection Task. |
|
|
Run osquery |
Executes SQL queries using osquery (version 5.7.0) to obtain system information of the specified endpoints. For more information, see Run osquery Task. |
|
|
Run Remote Custom Script |
Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file For more information, see Run Remote Custom Script Task. |
|
|
Run YARA rules |
Executes custom YARA rules on the specified endpoints. For more information, see Run YARA Rules Task. |
|
|
Start Remote Shell Session |
Connects to a monitored endpoint and allows you to execute remote commands or a custom script file for investigation For more information, see Start Remote Shell Session Task. |
|
|
Submit for Sandbox Analysis |
Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment For more information, see Submit for Sandbox Analysis Task. |
|
|
Terminate Process |
Terminates the active process and allows you to terminate the process on all affected endpoints For more information, see Terminate Process Task. |
|
|
Action |
Description |
Supported Services |
|---|---|---|
|
Add to Block List |
Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections Important:
Adding an object to the User-Defined Suspicious Objects List does not terminate any active processes or connections to the object. To terminate active processes, ensure that you also trigger the Terminate response. For more information, see Add to Block List Task. |
|
|
Delete Message |
Deletes the selected email message from the selected mailboxes For more information, see Delete Email Message Task. |
|
|
Quarantine Message |
Moves the selected email message to the quarantine folder and allows you to quarantine the message from all affected mailboxes For more information, see Quarantine Email Message Task. |
|
|
Remove from Block List |
Removes the File SHA-1, URL, IP address, or Domain object added to the User-Defined Suspicious Objects List through the Add to Block List response For more information, see Remove from Block List Task. |
|
- Add to Block List Task
You can take preventive blocking measures on suspicious objects that may pose a security risk to your network using context menus on the Trend Vision One console. - Collect Evidence Task
Collect evidence to support threat investigation and incident response. - Collect File Sample Task
After identifying a suspicious file object that you want to investigate in your local environment, you can collect the file in a password-protected archive and download the file from the Response Management app. - Collect Network Analysis Package Task
After identifying a suspicious object that you want to investigate, you can collect the network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and download the file from the Response Management app. - Delete Email Message Task
After identifying a suspicious email message, you can delete the message from all supported mailboxes protected by Cloud App Security using context menus on the Trend Vision One console. - Disable User Account Task
After identifying a potentially compromised user account, you can disable the account. - Enable User Account Task
After verifying the safety of a disabled user account, you can re-enable the account. - Force Password Reset Task
After identifying a potentially compromised user account, you can force the user to create a new password. - Force Sign Out Task
After identifying a potentially compromised user account, you can sign the user out of all active application and browser sessions. - Isolate Endpoint Task
You can take preventive isolation measures on compromised endpoints that may pose a security risk to your network using context menus on the Trend Vision One console. - Quarantine Email Message Task
After identifying a suspicious email message, you can quarantine the message from all supported mailboxes protected by Cloud App Security using context menus on the Trend Vision One console. - Remove from Block List Task
After determining that a blocked object or sender is no longer a risk, you can remove the object from the applicable blocked list using the Response Management app. - Restore Connection Task
After resolving the security issue on an isolated endpoint, you can restore network connectivity using the Response Management app. - Run osquery Task
Run SQL-based queries on the specified endpoints to support threat investigation and incident response. - Run Remote Custom Script Task
Execute a PowerShell or Bash script on a target endpoint during an investigation. - Run YARA Rules Task
Run custom YARA rules on the specified endpoints to support threat investigation and incident response. - Start Remote Shell Session Task
Directly access an endpoint and execute CLI commands or a custom script file during an investigation. - Submit for Sandbox Analysis Task
After identifying a suspicious file object, you can submit the object for analysis in the Sandbox Analysis app using context menus on the Trend Vision One console. - Terminate Process Task
After identifying a suspicious or malicious process running on an endpoint, you can terminate the process using context menus on the Trend Vision One console.
