Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Proactive Response Naming Convention


Although in Taegis™ XDR you can give actions any name you want in your environment, Proactive Response Actions require use of a specific naming convention so that ManagedXDR analysts can recognize the action quickly, clearly, and consistently. The matrix below prescribes the approved naming convention for each response action:

Proactive Response Action Naming Convention
Taegis Agent Host Isolation MXDR_ISOLATE
Red Cloak Host Isolation MXDR_ISOLATE
Carbon Black Host Isolation MXDR_ISOLATE
Crowdstrike Host Isolation MXDR_ISOLATE
Microsoft Defender ATP Host Isolation MXDR_ISOLATE
SentinelOne Host Isolation MXDR_ISOLATE
Taegis Agent Host Restoration MXDR_RESTORE
Red Cloak Host Restoration MXDR_RESTORE
Carbon Black Host Restoration MXDR_RESTORE
Crowdstrike Host Restoration MXDR_RESTORE
Microsoft Defender ATP Host Restoration MXDR_RESTORE
SentinelOne Host Restoration MXDR_RESTORE
iSensor IP Block M_iSensorBlock
iSensor Remove IP Block M_iSensorUnBlock
Azure AD Disable User M_DISUSER
Azure AD Enable User M_ENUSER
Azure AD Force Password Reset M_PASSRESET
AWS Disable User Login M_AWSdisuser
AWS Enable User Login M_AWSenuser
AWS Disable User Access Key M_AWSAccessKeyDis
AWS Enable User Access Key M_AWSAccessKeyEn
AWS Disable User MFA Device M_AWSmfaDis

This format indicates to the ManagedXDR analyst that the requested action is specific to Proactive Response Actions.

See below for detailed examples of various playbook configurations.

Authorize Proactive Response Actions in Taegis™ XDR

After you have configured the required playbooks for Proactive Response Actions, a user in the Tenant Manager role must now authorize Proactive Response Actions to enable this feature. To authorize Proactive Response Actions, follow these steps:

  1. Select Tenant Settings > Subscriptions from the left-hand navigation menu in Taegis™ XDR.
  2. Toggle the Proactive Response Actions button to indicate Authorized.
  3. Choose Authorize to confirm your action.

Authorize Proactive Response Actions

Authorize Proactive Response Actions


If you have not yet configured the required playbooks but toggle the Proactive Response Actions button to Authorized, then our analysts will not be able to take actions on your behalf, as the actions must be defined using playbooks.

If you have completed all the required steps, the following appears under Tenant Settings→Subscriptions:

Authorized Proactive Response Actions

Authorized Proactive Response Actions

At this point, ManagedXDR analysts can take actions on your specified assets based on the playbooks you created.


On this page: