What is Active Response?
Active Response automatically and manually stops threats in your environment based on your selected response policy. It reduces response times, limits damage, and helps secure systems before threats escalate, without requiring manual intervention for every alert.
- What it does: Blocks, isolates, or remediates threats in real time
- How it works: Policies control how aggressively actions are taken
- Default setting: Balanced (recommended for most organizations)
- Key benefit: Reduces response time and limits damage without manual effort
This article covers the following topics:
- Why it matters
- How Active Response Works
- Choosing Your a Response Policy
- Endpoint and Cloud Coverage
- Notifications
- What Happens After a Response Action?
Why it matters
Instead of only alerting you to threats, Active Response:
- Stops malicious activity in real time
- Reduces reliance on manual response
- Aligns protection with your risk tolerance
Active Response applies to:
- Endpoint devices (process-level actions)
- Cloud services (e.g., locking compromised accounts in Microsoft 365 or Google Workspace)
How Active Response Works
When a threat is detected:
- Your response policy determines how aggressively to act
- Field Effect analysts and/or automation takes action
- The threat is contained, blocked, or remediated.
See Configuring Active Response to set up your response policy and enable it for cloud services.
Response Actions
Response actions are the steps taken to eliminate threats or reduce risk. These actions vary depending on the environment and the nature of the threat. See Response Actions: Overview to learn more.
Endpoint Actions:
- Isolate a device from the network
- Terminate malicious processes
- Block execution of suspicious files
- Prevent communication with malicious domains
Cloud Actions:
- Lock compromised user accounts
- Restrict access to cloud services (e.g., Microsoft 365, Google Workspace)
- Block suspicious login activity
Automated vs. Analyst-Initiated Actions:
- Automated: Triggered automatically for high-confidence threats
- Analyst-Initiated: Performed by security analysts based on investigation and context
The actions taken depend on your selected response policy and the severity of the threat.
Choosing Your a Response Policy
Your response policy controls how aggressively Active Response acts. See Response Policies Overview for more.
See Configuring Active Response to set up your response policy.
Recommendation: Start with Balanced and adjust based on risk tolerance and business impact.
| Policy | Best for | Behavior |
|---|---|---|
| Off | Monitoring only | No automated action; alerts only |
| Limited | Low disruption environments | Acts on high-confidence threats only |
| Balanced (Default) | Most organizations | Strong protection with minimal disruption |
| Aggressive | High-risk or active incidents | Broad and proactive blocking |
Important Considerations
- Response actions can impact systems (e.g., isolating a device may cause downtime) [support.fi...effect.com]
- Critical systems can be excluded from policies
- Policies can be customized for your environment
Notifications
You can control whether end users are notified on their endpoint when they trigger response action:
- Enable, disable, or customize notifications
- Actions still occur even if notifications are off
What Happens After a Response Action is Triggered?
When a response action occurs:
- An ARO is generated
- The threat has already been mitigated or contained
- You should:
- Review the ARO details
- Confirm business impact
- Add exclusions if needed
- Follow up on remediation actions
Visit Working with AROs to learn more.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article