Skip to main content

MDR

Pre-approved Actions

In the Pre-approved Actions page you can enable the SOC team to take certain actions without explicit approval, whenever needed.

The page displays the following information:

  • Actions - the action taken by the SOC team

  • Details - a brief description of the action

  • Notes - a field to add notes for the SOC team

The following pre-approved actions are available:

  • Stop process. Our experts will terminate a process that they have determined is malicious.

  • Block file. Our experts will block a malicious executable from running on the host.

  • Block port. Our experts will block the host from exchanging network traffic on one or more network ports that they have determined a present risk. For example: port 80 or 443.

  • Block IP. Our experts will block the host from exchanging network traffic with one or more IP addresses that they have determined are malicious.

  • Isolate host. Our experts will disconnect the host from the network so that it may no longer make or receive connections with other systems.

  • Delete file. Our experts will delete a file that they have determined is malicious.

  • Quarantine file. Our experts will move a suspicious file to a quarantine folder so that it cannot be used accidentally. The file will not be deleted.

  • Delete email. Our experts will delete an email message from the inbox after they have determined the message is malicious.

  • Disable user. Our experts will disable the user's ability to log in after determining their is malicious activity associated with the account.

  • Mark user as compromised. Our experts will mark the user as compromised in Active Directory.¬†This action is only available for customers with the Microsoft E5 level license.

  • Response shell. Our experts may have access to run commands on the endpoint in order to investigate or mitigate malicious activity.

  • Force user credentials reset. After determining an account may be misused, our experts will set the account so the user must reset their password on the next login.

The Pre-Approved Actions list has been updated to support XDR, and includes the following additional actions:

  • XDR for MDR Productivity

    • Delete email

    • Disable user

    • Force user credentials reset

  • XDR for MDR Identity

    • Disable user

    • Force user credentials reset

    • Mark user as compromised

      Note

      This action is only available for customers with the Microsoft E5 level license.

mdr_paa_151519_c_en.png

The Pre-Approved Actions page can also be grouped by business impact:

mdr_paa_impact_151519_c_en.png