Managing response activity

From the Threat Response Menu, click Response Activity to view the status, create or stop a response action. A response action, unlike a scheduled action, runs once during a provided time range and ensures that if an endpoint is not online when you deploy the action, it runs when the endpoint comes online. Initiate a response action to a single affected endpoint. You can initiate Live Response, Quarantine, download a file, or gather a snapshot from a targeted endpoint.

You can initiate response actions from an alert. For more information, see Initiate response actions from an alert.

Create a response action for an endpoint

  1. From the Threat Response Menu, click Response Activity.
  2. Click Create > Live Response, Create > Quarantine, Create > Gather Snapshot, or Create > Download File.
  3. Select an endpoint that is the target of the response action.
  4. When you download a file as a response action, the file is saved as saved evidence. From the Threat Response menu, click Saved Evidence > Files to access the files that you download.
  5. Provide parameters for the response action. For example, if you select the response action for Live Response, you can specify the package you want to use for Live Response file collection.
  6. Click Run Response Action. Confirm that you want to deploy the response action. Provide administrator credentials and click OK.

Stop a response action

  1. From the Threat Response Menu, click Response Activity.
  2. Select the response action that you want to stop from the list of response actions.
  3. Click Actions > Stop.