Response Policies: Overview

Introduction

Response policies define how the platform responds to detections and activity across endpoints, networks, and cloud environments. They help ensure consistent, timely, and appropriate action when threats or vulnerabilities are identified.


This article introduces the default response policies and explains how they influence both automated and analyst-driven actions.


Note: The descriptions below represent each response policy without exceptions or exclusions. Policies can be customized within the platform to better fit your environment.


If the DNS Firewall is enabled, known malicious domains and custom blocklist entries will be blocked regardless of your selected response policy.


This article covers the following: 


How Response Policies Work

Response policies operate as part of the detection and response workflow:


  1. Activity is monitored across endpoint, network, and cloud sources
  2. A detection or anomaly is identified
  3. The response policy determines the appropriate action
  4. Action is taken automatically or manually by analysts


This allows you to balance security enforcement and Operational impact. 


Response policy levels

Each policy defines how aggressively the platform responds to potential threats.


Off (Default)

The platform monitors your environment and generates alerts, but no response actions are taken.

  • Passive monitoring only
  • Threats and vulnerabilities are reported via AROs
  • No automated or analyst-initiated intervention


Best for: 

  • Visibility without enforcement
  • Highly sensitive environments where disruption must be avoided


Limited

Enables analyst-driven active response in confirmed or high-confidence scenarios.

  • Responses are manually initiated by analysts
  • Strong consideration is given to:
    • Infrastructure type (server vs. desktop)
    • Business impact (vulnerability vs. active threat)


Example actions:

  • Isolating an infected host
  • Blocking known malicious processes
  • Locking a cloud account showing strong signs of compromise


Best for: 

  • Organizations that want controlled, human-reviewed intervention. 


Balanced (Recommended)

Extends Limited policy capabilities with broader response coverage, including more automated actions.

  • Combines analyst judgment + expanded response actions
  • Still considers infrastructure and business impact


Example actions:

  • Isolating compromised servers
  • Automatically locking high-risk cloud accounts
  • Blocking suspicious activity across hosts and networks


Best for:

  • Most environments
  • Balance between protection and operational stability

Aggressive

Maximizes protection by blocking or restricting activity wherever it appears suspicious.

  • Prioritizes security over operational impact
  • Lower threshold for triggering response actions


Example actions:

  • Blocking anomalous processes and behavior
  • Locking accounts suspected of compromise
  • Restricting or disabling commonly abused tools:


PowerShell

  • Remote administration tools (RATs)


Best for:

  • High-risk environments
  • Situations requiring rapid containment


Cloud Monitoring Considerations

Response policies extend to cloud-monitored activity, such as user access and service behavior. Active Response is 

  • Policies may trigger based on:

    • Suspicious logins
    • API or service misuse
    • Account compromise indicators
  • Cloud responses often prioritize:

    • Account security actions (e.g., locking accounts)
    • Alerting and escalation

Policy Categories

Detection policies are based on common attacker behaviors and are designed to protect against both known and unknown threats. Threat actors often operate across multiple categories, so overlapping protections provide stronger defense.


Key principle:

Focus is placed on blocking behaviors required for attacks, not just known malware—ensuring protection against emerging threats.


Core Protection Categories

The following protections are enabled by default (unless otherwise noted) and may trigger active responses depending on your response policy.


Endpoint Agent Protection (User selectable)

Prevents tampering with the endpoint agent.


Triggers:

  • Attempting to stop or uninstall the agent


System Tampering Protection

Prevents weakening of system defenses.


Triggers:

  • Disabling security software
  • Lowering authentication settings
  • Modifying certificates


Ransomware Protection

Detects behaviors associated with ransomware activity.


Triggers:

  • Encryption attempts
  • Backup deletion or tampering
  • Suspicious ransomware tools or commands


Office Macros Protection

Defends against malicious document-based attacks.


Triggers:

  • Macros executing unexpected processes
  • Unauthorized file access behavior


Persistence Protection

Prevents malware from maintaining long-term access.


Triggers:

  • Registry changes for auto-start
  • Scheduled task modification
  • Boot record tampering


Privilege Escalation Protection

Detects attempts to gain elevated access.


Triggers:

  • Exploitation techniques
  • Suspicious permission checks or commands


Propagation Protection

Stops lateral movement across systems.


Triggers:

  • Remote command execution attempts
  • Use of remote administration tools
  • Web shell activity


General Malware Protection

Covers broad malicious behaviors across categories.


Triggers:

  • Remote code execution
  • Software injection or memory tampering
  • Use of scripting tools (e.g., PowerShell)
  • Known attacker tools (e.g., Mimikatz, Cobalt Strike)
















Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article