Proactive Response Actions Overview
Threat Response ⫘
Threat response actions are inherent in Secureworks® Taegis™ XDR and analysts use these actions to respond to investigations for Threats deemed critical. Threat response actions include the following:
- Host isolation
- User password reset with Azure AD
- User block with Azure AD
- User block with AWS
- Access key revocation with AWS
- Disable MFA device with AWS
- iSensor IP block
Secureworks analysts are required to obtain explicit permission from you (the customer) before conducting the actions listed above.
Proactive Response ⫘
For proactive response, after you configure and authorize Proactive Response Actions, Secureworks will not contact you before conducting the specified, authorized actions (i.e., proactively acting on your behalf).
Authorizing Proactive Response Actions saves valuable time, especially if your designated security contacts are unavailable when we attempt to contact them, because we do not have to wait to act on your behalf. Isolation related Proactive response also enables you to indicate the specific assets for which you want us to conduct proactive actions.
Proactive Response Actions enable Secureworks® Taegis™ ManagedXDR analysts to act on your behalf on assets without first notifying you and waiting for a response, which could otherwise delay critical actions taking place in a timely manner. Analysts perform response actions after an Investigation for a threat deemed critical has been analyzed. Examples of critical threats include, but are not limited to, the following:
- Threat actor “hands on keyboard” access to your environment
- Ransomware Outbreak
- Credential Dumping
- Webshell Activity
- Evidence of Successful Lateral Movement
- Data Exfiltration
- Privilege Escalation
Currently available Proactive Response Actions include:
| Network Response Actions | ||
|---|---|---|
| iSensor | IP Block | Remove IP Block |
| Endpoint Response Actions | ||
|---|---|---|
| Taegis | Isolate Host** | Restore Host** |
| Red Cloak | Isolate Host** | Restore Host** |
| Carbon Black | Isolate Host** | Restore Host** |
| Crowdstrike | Isolate Host** | Restore Host** |
| Defender | Isolate Host** | Restore Host** |
| SentinelOne | Isolate Host** | Restore Host** |
Granular Exclusion Capabilities ⫘
Note
Currently, only host isolation and restoration proactive response actions allow for granular filtering of assets (opting assets in/out via tagging). When other proactive response playbooks are created, and the service is opted in for, all relevant assets and users are eligible for action. For example, if the Azure AD Disable User playbook is configured for proactive response, and a domain admin account is showing indications of compromise, the account is disabled.
| Cloud Response Actions | |||||
|---|---|---|---|---|---|
| Azure Active Directory | Disable User | Enable User | Force Password Reset | ||
| Amazon Web Services | Disable User | Enable User | Disable User Access Key | Enable User Access Key | Disable User MFA Device |
To take advantage of ManagedXDR Proactive Response Actions that can be performed in your environment when deemed necessary by an ManagedXDR analyst, you must configure and maintain supported connectors and playbooks and then authorize Proactive Response Actions in XDR. These actions are available only to ManagedXDR customers.
Connector and Connection ⫘
In Automation, a connector is the definition that defines how XDR communicates with external IT tools, allowing a playbook to execute API calls that are published by a vendor.
A connection is an instance of a connector that you configure. The connection provides the method that XDR uses to authenticate to an IT tool within your environment, as well as the URL it should authenticate to.
For ManagedXDR, you must configure a connection specific to the supported endpoint agents in your environment for any response actions that you may want to take in XDR, or for any actions that you want ManagedXDR analysts to perform on your behalf. Secureworks technologies (Taegis™ XDR Endpoint Agent, Red Cloak™ Endpoint Agent, and Secureworks® Managed iSensor®) do not require a connection to be configured for automation playbooks, as these are configured automatically.
For more information about configuring connections, see Create a New Connection.
Playbook ⫘
In Automation, a playbook defines what actions to take and when to take them using one or more configured connections. This allows actions to be performed in your environment automatically based on your configuration. Playbooks are defined through playbook templates, some of which are provided by Secureworks, and some of which may be defined by your organization.
Configuring playbooks allows Proactive Response Actions to be performed in your environment when deemed necessary by an ManagedXDR analyst.
For ManagedXDR, you must configure a playbook specific to the supported endpoint agents in your environment for the actions you want a ManagedXDR analyst to take, such as host isolation, or for automated actions, such as creating a ServiceNow ticket once primary findings are added to an Investigation. Detailed examples are available for Endpoint, Cloud, and Network.
For more information about configuring playbooks, see Create a New Playbook.