Response Actions
Defend provides 10 response action types to contain, remediate, and recover from threats. Actions can be triggered manually from an investigation, automatically via response rules, or in bulk across multiple devices.
Action Types
| Action | What It Does | Destructive |
|---|---|---|
| Kill Process | Terminates a running process by PID | No |
| Isolate Device | Blocks all network access except the RMM management channel (port 443) | Yes |
| Unisolate Device | Restores full network access after isolation | No |
| Quarantine File | Moves a file to a secure quarantine directory where it cannot execute | Yes |
| Block IP | Adds a Windows Firewall rule to block outbound traffic to a specific IP | No |
| Unblock IP | Removes a previously added firewall block rule | No |
| Reset User Session | Forces logout of the active user session | Yes |
| Force Password Reset | Flags the user in People and sends a password reset notification | Yes |
| Collect Forensics | Gathers memory dump, Windows Event Logs, and Prefetch files | No |
| Run Script | Executes a custom remediation script via the RMM integration | Depends |
Dual-Control Approval
Destructive actions require dual-control approval by default:
- An analyst submits the response action with a justification
- A different analyst reviews and approves the action
- The same person who submitted cannot approve their own action
- Once approved, the action is queued for execution
Non-destructive actions (kill process, block/unblock IP) are auto-queued unless your organization has configured them to require approval.
You can customize which actions require approval in Settings → Response Automation → Approval Requirements.
Action Lifecycle
Every response action follows this status flow:
pending_approval → queued → executing → completed / failed / cancelled
- Pending approval — Waiting for a second analyst to approve (destructive actions)
- Queued — Approved and waiting for the agent to pick up the command
- Executing — Agent is carrying out the action
- Completed — Action succeeded, verification passed
- Failed — Action could not be completed (agent offline, permission error)
- Cancelled — Analyst cancelled the action before execution
Post-Action Verification
60 seconds after an action completes, Defend runs automatic verification:
- Kill process — Confirms the process is no longer running
- Isolate device — Confirms network access is blocked (except management channel)
- Quarantine file — Confirms the file has been moved and is not executable
- Block IP — Confirms the firewall rule is active
Verification results are logged with the action record.
Auto-Response
Configure automatic response actions for critical and high-severity detections:
| Setting | Description |
|---|---|
| Auto-isolate on critical | Automatically isolate devices when a critical-severity detection fires |
| Auto-kill on high | Automatically terminate the malicious process on high-severity detections |
| Active hours | Time window during which auto-response is active (e.g., after hours only) |
| Require approval for | Override specific action types to always require approval |
Bulk Response
When an attack affects multiple devices (e.g., worm propagation, lateral movement):
- Select multiple devices from the detection dashboard or lateral movement graph
- Choose a response action
- The action is applied to all selected devices simultaneously
- Each device's action is tracked independently in the audit trail
Audit Trail
Every response action is logged with:
- Who submitted it and when
- Who approved it (if applicable)
- Execution start and completion timestamps
- Verification result
- The detection or alert that triggered the action
The audit trail is accessible from Response Actions → History and is included in compliance reports.
Next Steps
- Rewind Recovery — Ransomware recovery via Backups integration
- Threat Investigation — Investigating before responding
- Compliance Reports — Audit trail in compliance context