Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Proactive Response Actions Overview


Threat Response

Threat response actions are inherent in XDR and analysts use these actions to respond to investigations for Threats deemed critical. Threat response actions include the following:

Secureworks analysts are required to obtain explicit permission from you (the customer) before conducting the actions listed above.

Proactive Response

For proactive response, after you configure and authorize Proactive Response Actions, Secureworks will not contact you before conducting the specified, authorized actions (i.e., proactively acting on your behalf).

Authorizing Proactive Response Actions saves valuable time, especially if your designated security contacts are unavailable when we attempt to contact them, because we do not have to wait to act on your behalf. Isolation related Proactive response also enables you to indicate the specific assets for which you want us to conduct proactive actions.

Proactive Response Actions enable ManagedXDR analysts to act on your behalf on assets without first notifying you and waiting for a response, which could otherwise delay critical actions taking place in a timely manner. Analysts perform response actions after an Investigation for a threat deemed critical has been analyzed. Examples of critical threats include, but are not limited to, the following:

Currently available Proactive Response Actions include:

Network Response Actions
iSensor IP Block Remove IP Block
Endpoint Response Actions
Taegis Isolate Host** Restore Host**
Red Cloak Isolate Host** Restore Host**
Carbon Black Isolate Host** Restore Host**
Crowdstrike Isolate Host** Restore Host**
Defender Isolate Host** Restore Host**
SentinelOne Isolate Host** Restore Host**

Granular Exclusion Capabilities


Currently, only host isolation and restoration proactive response actions allow for granular filtering of assets (opting assets in/out via tagging). When other proactive response playbooks are created, and the service is opted in for, all relevant assets and users are eligible for action. For example, if the Azure AD Disable User playbook is configured for proactive response, and a domain admin account is showing indications of compromise, the account is disabled.

Cloud Response Actions
Azure Active Directory Disable User Enable User Force Password Reset
Amazon Web Services Disable User Enable User Disable User Access Key Enable User Access Key Disable User MFA Device

To take advantage of ManagedXDR Proactive Response Actions that can be performed in your environment when deemed necessary by an ManagedXDR analyst, you must configure and maintain supported connectors and playbooks and then authorize Proactive Response Actions in Taegis™ XDR. These actions are available only to ManagedXDR customers.

Connector and Connection

In Automation, a connector is the definition that defines how Secureworks® Taegis™ XDR communicates with external IT tools, allowing a playbook to execute API calls that are published by a vendor.

A connection is an instance of a connector that you configure. The connection provides the method that Secureworks® Taegis™ XDR uses to authenticate to an IT tool within your environment, as well as the URL it should authenticate to.

For ManagedXDR, you must configure a connection specific to the supported endpoint agents in your environment for any response actions that you may want to take in Taegis™ XDR, or for any actions that you want ManagedXDR analysts to perform on your behalf. Secureworks technologies (Taegis™ XDR Endpoint Agent, Red Cloak™ Endpoint Agent, and Managed iSensor™) do not require a connection to be configured for automation playbooks, as these are configured automatically.

For more information about configuring connections, see Create a New Connection.


In Automation, a playbook defines what actions to take and when to take them using one or more configured connections. This allows actions to be performed in your environment automatically based on your configuration. Playbooks are defined through playbook templates, some of which are provided by Secureworks, and some of which may be defined by your organization.

Configuring playbooks allows Proactive Response Actions to be performed in your environment when deemed necessary by an ManagedXDR analyst.

For ManagedXDR, you must configure a playbook specific to the supported endpoint agents in your environment for the actions you want a ManagedXDR analyst to take, such as host isolation, or for automated actions, such as creating a ServiceNow ticket once primary findings are added to an Investigation. Detailed examples are available for Endpoint, Cloud, and Network.

For more information about configuring playbooks, see Create a New Playbook.


On this page: