Response Actions

Explore the response actions available to the Managed Services operations team.

Approval Not Required

The following response actions do not require your approval. The operations team is automatically authorized to perform these actions on your behalf:

Automatically Approved

You can automate the approval of the following response action requests submitted by the operations team. For instructions on enabling auto approval of requests, see Configuring Response Approval Settings.

Table 1. Critical Actions

Response Action Name


Add Objects to Block List

Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections

Run Trend Micro Investigation Kit

Deploys and executes the Trend Micro Investigation Kit on target endpoints

Terminate Process

Terminates the active process and allows you to terminate the process on all affected endpoints

Collect Suspicious File Sample

Compresses the selected file on the endpoint in a password-protected archive and then sends the archive to the Response Management app

Isolate Endpoint

Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product

Quarantine Email Message

Adds the email address to the Blocked Sender list in Cloud App Security and quarantines incoming messages

Disable User Account

Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session.

Table 2. Recommended Actions

Response Action Name


Submit for Sandbox Analysis

Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment

Start Remote Shell Session

Connects to monitored endpoints to remotely execute commands, custom scripts or process memory dumps for investigation

Run Remote Custom Script

Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file

Collect Network Analysis Package

Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app

Configure and Deploy TippingPoint Filter Policy

Configures TippingPoint virtual patching filter policies in Network Intrusion Prevention and applies the policies on TippingPoint SMS profiles to mitgate CVE risks