Skip to content

Proactive Response Actions Overview🔗

Threat Response🔗

Threat response actions are inherent in Secureworks® Taegis™ XDR and analysts use these actions to respond to cases for Threats deemed critical. Threat response actions include the following:

  • Isolate Host / Restore Host
  • Block IP / Unblock IP
  • Disable User / Enable User
  • Revoke User Sign-In Sessions (Disabling a user will revoke user session)

Secureworks analysts are required to obtain explicit permission from you (the customer) before conducting the actions listed above.

Proactive Response🔗

For Proactive Response, after you configure and authorize Taegis Actions for Proactive Response, Secureworks will not contact you before conducting the specified, authorized actions on your behalf.

Authorizing Proactive Response Actions saves valuable time, especially if your designated security contacts are unavailable when we attempt to contact them, because we do not have to wait to act on your behalf. Isolation-related Proactive Response also enables you to indicate the specific assets for which you want us to conduct proactive actions.

Proactive Response Actions enable Secureworks® Taegis™ MDR analysts to act on your behalf on assets without first notifying you and waiting for a response, which could otherwise delay critical actions taking place in a timely manner. Analysts perform response actions after a Case for a threat deemed critical has been analyzed. Examples of critical threats include, but are not limited to, the following:

  • Threat actor “hands on keyboard” access to your environment
  • Ransomware Outbreak
  • Credential Dumping
  • Webshell Activity
  • Evidence of Successful Lateral Movement
  • Data Exfiltration
  • Privilege Escalation

Available Proactive Response Actions🔗

Currently available Proactive Response Actions configurable as Taegis Actions for multiple supported technology integrations include:

  • Isolate / Restore Host
  • Disable / Enable User
  • Block / Unblock IP

Additional available Proactive Response Actions configurable as Playbooks include:

  • Microsoft Entra ID Force Password Reset
  • AWS Enable / Disable User Access Key
  • AWS Disable User MFA Device

Granular Exclusion Capabilities🔗

Proactive Response Actions allow for granular filtering of assets and users eligible for the action. To do so, enter a trigger filter in CEL syntax to provide the conditions in which the option will be shown when configuring the Action or Playbook. If no trigger filter is provided, all relevant assets and users are eligible for action, as long as Proactive Response is enabled in the Action or Playbook configuration.

Authorize Proactive Response and Enable Actions🔗

To take advantage of Taegis MDR Proactive Response Actions that can be performed in your environment when deemed necessary by an Taegis MDR analyst, you must authorize Proactive Response Actions in XDR and configure and maintain supported Taegis Actions or Playbooks. These actions are available only to Taegis MDR customers.

Connector and Connection🔗

In Automation, a connector is the definition that defines how XDR communicates with external IT tools, allowing playbooks and Taegis Actions to execute API calls that are published by a vendor.

A connection is an instance of a connector that you configure. The connection provides the method that XDR uses to authenticate to an IT tool within your environment, as well as the URL it should authenticate to.

For Taegis MDR, you must configure a connection specific to the supported technologies in your environment for any response actions that you may want to take in XDR, or for any actions that you want Taegis MDR analysts to perform on your behalf. Secureworks technologies (Taegis™ XDR Endpoint Agent, Red Cloak™ Endpoint Agent, and Taegis™ NDR) do not require a connection to be configured for automation, as these are configured automatically.

For more information about configuring connections, see Create a New Connection.

Taegis Actions🔗

Taegis Actions make it easier than ever to configure and use out-of-the-box response and enrichment actions. These actions are tightly integrated into the triage and investigation workflow to speed analysis and enable rapid response.

Each Taegis Action supports multiple integrations with common IT and InfoSec tools and works with multiple instances of each technology. This removes the need to configure and maintain multiple instances for each technology-specific integration.

Enabling Proactive Response for a supported Action allows it to be performed on your behalf when deemed necessary by a Taegis MDR analyst.

For Taegis MDR, you must configure an Action with the integrations to supported technologies in your environment for the actions you want a Taegis MDR analyst to take, such as host isolation.

See Taegis Actions for more information about configuration.

Note

Some Proactive Response Actions noted above are configurable only as Playbooks at this time.