New response actions to enable new workflows
We've added new response action endpoints under POST /response-actions/v1/execute/<name> to expand remote execution capabilities for both device and identity management.
This allows you to automate new workflows that involve acting on the target devices and identities.
This release increases the number of API supported response actions from 8 to 32.
Device response actions
The following device response actions are available:
- Create full memory dump - Uploads a full memory dump from the device
- Delete registry key or value - Deletes a specified Windows registry key or value
- Delete scheduled task - Deletes a specified Windows scheduled task
- Delete Windows service - Deletes a specified Windows service
- Delete WMI persistence objects - Deletes Windows Management Instrumentation (WMI) persistence objects
- Enumerate running processes - Enumerates running processes on the device
- Enumerate WMI persistence mechanisms - Enumerates WMI persistence mechanisms, including event consumers, filters, and bindings
- List file system structure - Lists the file system structure based on path matching patterns
- List registry keys and values - Lists Windows registry keys and values based on path matching patterns
- List scheduled tasks - Lists all Windows scheduled tasks on the device
- Retrieve amcache files - Retrieves the application compatibility cache file from the device
- Retrieve antivirus logs - Retrieves antivirus software log files for security analysis
- Retrieve browser artifacts - Retrieves the browser history from the device
- Retrieve event log tracing files - Retrieves .etl event log tracing files with records of system activities
- Retrieve files from device - Retrieves files from the device based on path matching patterns
- Retrieve jump list files - Retrieves jump lists stored in the AutomaticDestinations and CustomDestinations subfolders
- Retrieve master boot record - Retrieves the master boot record (MBR) from a specified drive
- Retrieve master file table - Retrieves the master file table (MFT) from a specified drive
- Retrieve network connections - Retrieves network connections, routing tables, interface statistics, and related process information
- Retrieve prefetch files - Retrieves Windows prefetch files with evidence of program execution
- Retrieve process memory dump - Retrieves a memory dump of a specific process
- Retrieve RDP cache files - Retrieves remote desktop protocol (RDP) bitmap cache files
- Retrieve recently accessed files - Retrieves information about recently accessed files and folders from user activity artefacts
- Retrieve registry hive files - Retrieves Windows registry hive files
- Retrieve SRUM database - Retrieves the system resource usage monitor (SRUM) database
- Retrieve Windows event log entries - Retrieves Windows event log entries based on specified filters
- Retrieve Windows event log files - Retrieves Windows event log files
- Terminate process - Terminates processes matching the specified patterns
- Terminate thread - Terminates a thread
Identity response actions
The following identity response actions are available for Microsoft Entra:
- Block user access in Microsoft Entra - Blocks access for a user to all resources inside the Microsoft Entra ecosystem
- End Microsoft Entra session - Ends the Microsoft Entra session of a user
- Reset Microsoft Entra password - Resets the Microsoft Entra password of a user
Response action results and attachments
Response actions are processed asynchronously: once triggered, you can monitor their progress.A new endpoint is available for retrieving the actual results of response actions that return data (for example, memory dumps or other files):
GET /response-actions/v1/responses/tasks
By using this endpoint, you can download any files or attachments produced by completed response actions. To determine when your action has finished, first poll the state via GET /response-actions/v1/responses. When the action is marked as finished, your attachments are ready for download from the tasks endpoint.
Start building
Full API documentation is available at
https://connect.withsecure.com/api-reference/elements/