Active Response: Overview

What is Active Response?

Active Response automatically and manually stops threats in your environment based on your selected response policy. It reduces response times, limits damage, and helps secure systems before threats escalate, without requiring manual intervention for every alert.

  • What it does: Blocks, isolates, or remediates threats in real time
  • How it works: Policies control how aggressively actions are taken
  • Default setting: Balanced (recommended for most organizations)
  • Key benefit: Reduces response time and limits damage without manual effort


This article covers the following topics: 



Why it matters

Instead of only alerting you to threats, Active Response:

  • Stops malicious activity in real time
  • Reduces reliance on manual response
  • Aligns protection with your risk tolerance


Active Response applies to:

  • Endpoint devices (process-level actions)
  • Cloud services (e.g., locking compromised accounts in Microsoft 365 or Google Workspace)


How Active Response Works

When a threat is detected:

  1. Your response policy determines how aggressively to act
  2. Field Effect analysts and/or automation takes action
  3. The threat is contained, blocked, or remediated.


See Configuring Active Response to set up your response policy and enable it for cloud services.


Response Actions

Response actions are the steps taken to eliminate threats or reduce risk. These actions vary depending on the environment and the nature of the threat. See Response Actions: Overview to learn more. 


Endpoint Actions:

  • Isolate a device from the network
  • Terminate malicious processes
  • Block execution of suspicious files
  • Prevent communication with malicious domains


Cloud Actions:

  • Lock compromised user accounts
  • Restrict access to cloud services (e.g., Microsoft 365, Google Workspace)
  • Block suspicious login activity


Automated vs. Analyst-Initiated Actions:

  • Automated: Triggered automatically for high-confidence threats
  • Analyst-Initiated: Performed by security analysts based on investigation and context


The actions taken depend on your selected response policy and the severity of the threat.


Choosing Your a Response Policy

Your response policy controls how aggressively Active Response acts. See Response Policies Overview for more.


See Configuring Active Response to set up your response policy.


Recommendation: Start with Balanced and adjust based on risk tolerance and business impact.

 

PolicyBest forBehavior
OffMonitoring onlyNo automated action; alerts only
LimitedLow disruption environmentsActs on high-confidence threats only
Balanced (Default)Most organizationsStrong protection with minimal disruption
AggressiveHigh-risk or active incidentsBroad and proactive blocking


Important Considerations

  1. Response actions can impact systems (e.g., isolating a device may cause downtime) [support.fi...effect.com]
  2. Critical systems can be excluded from policies
  3. Policies can be customized for your environment


Notifications

You can control whether end users are notified on their endpoint when they trigger response action:

  • Enable, disable, or customize notifications
  • Actions still occur even if notifications are off


What Happens After a Response Action is Triggered?

When a response action occurs:

  1. An ARO is generated
  2. The threat has already been mitigated or contained
  3. You should:
    1. Review the ARO details
    2. Confirm business impact
    3. Add exclusions if needed
    4. Follow up on remediation actions


Visit Working with AROs to learn more. 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article