Skip to main content

Pre-approved Actions

The Pre-approved Actions page can be found under Service Management. Here, you can enable the SOC team to take certain actions without explicit approval, whenever needed.

The page displays the following information:

  • Actions - the action taken by the SOC team

  • Details - a brief description of the action

  • Notes - a field to add notes for the SOC team

The following pre-approved actions are available:

  • Stop process. Our experts will terminate a process that they have determined is malicious.

  • Block file. Our experts will block a malicious executable from running on the host.

  • Block port. Our experts will block the host from exchanging network traffic on one or more network ports that they have determined a present risk. For example: port 80 or 443.

  • Block IP. Our experts will block the host from exchanging network traffic with one or more IP addresses that they have determined are malicious. This action does not apply to servers.

  • Isolate host. Our experts will disconnect the host from the network so that it may no longer make or receive connections with other systems.

  • Delete file. Our experts will delete a file that they have determined is malicious.

  • Quarantine file. Our experts will move a suspicious file to a quarantine folder so that it cannot be used accidentally. The file will not be deleted.

  • Delete email. Our experts will delete an email message from the inbox after they have determined the message is malicious.

  • Disable user. Our experts will disable the user's ability to log in after determining their is malicious activity associated with the account.

  • Mark user as compromised. Our experts will mark the user as compromised in Active Directory. This action is only available for customers with the Microsoft E5 level license.

  • Response shell. Our experts may have access to run commands on the endpoint in order to investigate or mitigate malicious activity.

  • Force user credentials reset. After determining an account may be misused, our experts will set the account so the user must reset their password on the next login.

The Pre-Approved Actions list has been updated to support XDR, and includes the following additional actions:

  • XDR for Bitdefender MDR Productivity

    • Delete email

    • Disable user

  • XDR for Bitdefender MDR Identity

    • Force user credentials reset

    • Mark user as compromised

      Note

      This action is only available for customers with the Microsoft E5 level license.

mdr_paa_151519_c_en.png

The Pre-Approved Actions page can also be grouped by business impact:

mdr_paa_impact_151519_c_en.png