Proactive Response Naming Convention
Although in Secureworks® Taegis™ XDR you can give actions any name you want in your environment, Proactive Response Actions require use of a specific naming convention so that Secureworks® Taegis™ ManagedXDR analysts can recognize the action quickly, clearly, and consistently. The matrix below prescribes the approved naming convention for each response action:
Proactive Response Action | Naming Convention |
---|---|
Taegis Agent Host Isolation | MXDR_ISOLATE |
Red Cloak Host Isolation | MXDR_ISOLATE |
Carbon Black Host Isolation | MXDR_ISOLATE |
Crowdstrike Host Isolation | MXDR_ISOLATE |
Microsoft Defender ATP Host Isolation | MXDR_ISOLATE |
SentinelOne Host Isolation | MXDR_ISOLATE |
Taegis Agent Host Restoration | MXDR_RESTORE |
Red Cloak Host Restoration | MXDR_RESTORE |
Carbon Black Host Restoration | MXDR_RESTORE |
Crowdstrike Host Restoration | MXDR_RESTORE |
Microsoft Defender ATP Host Restoration | MXDR_RESTORE |
SentinelOne Host Restoration | MXDR_RESTORE |
iSensor IP Block | M_iSensorBlock |
iSensor Remove IP Block | M_iSensorUnBlock |
Azure AD Disable User | M_DISUSER |
Azure AD Enable User | M_ENUSER |
Azure AD Force Password Reset | M_PASSRESET |
AWS Disable User Login | M_AWSdisuser |
AWS Enable User Login | M_AWSenuser |
AWS Disable User Access Key | M_AWSAccessKeyDis |
AWS Enable User Access Key | M_AWSAccessKeyEn |
AWS Disable User MFA Device | M_AWSmfaDis |
This format indicates to the ManagedXDR analyst that the requested action is specific to Proactive Response Actions.
See below for detailed examples of various playbook configurations.
Authorize Proactive Response Actions in XDR ⫘
After you have configured the required playbooks for Proactive Response Actions, a user in the Tenant Manager role must now authorize Proactive Response Actions to enable this feature. To authorize Proactive Response Actions, follow these steps:
- Select Tenant Settings > Subscriptions from the left-hand navigation menu in XDR.
- Toggle the Proactive Response Actions button to indicate Authorized.
- Choose Authorize to confirm your action.
Authorize Proactive Response Actions
Important
If you have not yet configured the required playbooks but toggle the Proactive Response Actions button to Authorized, then our analysts will not be able to take actions on your behalf, as the actions must be defined using playbooks.
If you have completed all the required steps, the following appears under Tenant Settings→Subscriptions:
- Authorized Proactive Response Actions
- Configured Proactive Response Actions (playbooks)
Authorized Proactive Response Actions
At this point, ManagedXDR analysts can take actions on your specified assets based on the playbooks you created.