Earlier, we introduced Response Actions for the Windows version of our XDR client.
With response actions, you can retrieve specific forensic artefacts from endpoints to gather more information and provide further context to an investigation surrounding suspicious events that have been detected. You can also slow down or stop an attacker from achieving their objectives and by containing threats as they are being discovered and blocking them immediately. This can be done to multiple endpoints at the same time if necessary.
These have significantly aided our partners and customers when working with detections, and we have now added Response Actions to our Mac and Linux agents.
To use Advanced Response actions, the feature must be enabled in the profiles used. This setting can be found in the "General" settings of the Windows/Mac/Linux profiles.
Due to the nature of the host operating systems, not all platforms support all of the actions.
Investigative Actions
Response Action | Windows | Mac | Linux |
|---|
Retrieve Files | Yes | Yes | Yes |
Retrieve Powershell History | Yes | | |
Retrieve Event Log Entries | Yes | | |
Retrieve Event Log files | Yes | | |
Retrieve Event Log tracing entries | Yes | | |
Retrieve Anti-Virus logs | Yes | | |
Retrieve browser artifacts | Yes | | |
Retrieve jumplist files | Yes | | |
Retrieve MFT | Yes | | |
Retrieve RDP cache files | Yes | | |
Retrieve registry hives | Yes | | |
Retrieve System Resource Usage Monitor database | Yes | | |
Map registry | Yes | | |
Retrieve MBR | Yes | | |
Retrieve Amcache | Yes | | |
Retrieve Prefetch | Yes | | |
Retrieve Recently Accessed | Yes | | |
Map file system | Yes | Yes | Yes |
Netstat | Yes | Yes | Yes |
Enumerate processes | Yes | Yes | Yes |
Enumerate scheduled tasks | Yes | | |
Enumerate services | Yes | | |
Enumerate WMI persistence | Yes | | |
Process memory dump | Yes | | Yes |
Full memory dump | Yes | | Yes |
Test connections | Yes | | |
Containment Actions
Response Action | Windows | Mac | Linux |
|---|
Kill process | Yes | Yes | Yes |
Kill thread | Yes | | |
Remediation Actions
Response Action | Windows | Mac | Linux |
|---|
Delete files | Yes | Yes | Yes |
Delete registry | Yes | | |
Delete scheduled tasks | Yes | | |
Delete services | Yes | | |
Delete WMI persistence | Yes | | |
For more information on the event types, please check the user guide