Response actions may be set to either automatic or manual approval. You may refer to Comparing Automatic Approval and Manual Approval for Trend Micro™ Managed Detection and Response Actions for further guidance.
Our article about Activating the MDR Service contains details about how to setup these response actions.
Critical Actions
| Response Actions Name | Description |
|---|---|
| Add Objects to Block List | Adds supported objects such as File SHA-1, URL, IP address, or domain objects to the User-Defined Suspicious Objects List, which blocks the objects on subsequent detections. |
| Collect Evidence | Collects detailed evidence from specified endpoints to support threat investigation and incident response. Auto-approval must be enabled in order to use this response action.
|
| Collect Suspicious File Sample | Compresses the selected file on the endpoint in a password-protected archive and then sends the archive to the Response Management app. |
| Disable User Account | Signs the user out of all active application and browser sessions of the user account. It may take a few minutes for the process to complete. Users are prevented from signing in any new session. |
| Isolate Endpoint | Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product. |
| Quarantine Email Message | Adds the email address to the Blocked Sender list in Cloud App Security and quarantines incoming messages. |
| Restore Connection | Restores network connectivity to an endpoint that already applied the Isolate Endpoint action. |
| Scan for Malware | Performs a one-time scan on one or more endpoints for file-based threats such as viruses, spyware, and grayware. |
| Terminate Process | Terminates the active process and allows you to terminate the process on all affected endpoints. |
Recommended Actions
| Response Action Name | Description |
|---|---|
| Collect Network Analysis Package | Compresses the selected network analysis package (including an investigation package, a PCAP file, and a selected file detected by the network appliance) in a password-protected archive and then sends the archive to the Response Management app. |
| Configure and Deploy TippingPoint Filter Policy | Configures TippingPoint virtual patching filter policies in Intrusion Prevention Configuration and applies the policies on TippingPoint SMS profiles to mitigate CVE risks. |
| Run osquery | Runs SQL-based queries on specified endpoints to support threat investigation and incident response. Auto-approval must be enabled in order to use this response action.
|
| Run Remote Custom Script | Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file. |
| Run YARA Rules | Runs custom YARA rules on specified endpoints to support threat investigation and incident response. Auto-approval must be enabled in order to use this response action.
|
| Start Remote Shell Session | Connects to monitored endpoints to remotely execute commands, custom scripts or process memory dumps for investigation. |
| Submit for Sandbox Analysis | Submits the selected file objects for automated analysis in a sandbox, a secure virtual environment. |
The MDR Security Analyst will complete the above actions when they observe evidence of suspicious activity while conducting an investigation.
The criteria for isolating a host is when there is a risk or already compromise to the confidentiality, integrity or availability of the host.
For example, if there is credential dumping, unusual data exfiltration, ransomware detected, C&C communication.
A user account will be disabled in the case that there is clear evidence of abuse/spam originating from that account.