Introduction
Response policies define how the platform responds to detections and activity across endpoints, networks, and cloud environments. They help ensure consistent, timely, and appropriate action when threats or vulnerabilities are identified.
This article introduces the default response policies and explains how they influence both automated and analyst-driven actions.
Note: The descriptions below represent each response policy without exceptions or exclusions. Policies can be customized within the platform to better fit your environment.
If the DNS Firewall is enabled, known malicious domains and custom blocklist entries will be blocked regardless of your selected response policy.
This article covers the following:
How Response Policies Work
Response policies operate as part of the detection and response workflow:
- Activity is monitored across endpoint, network, and cloud sources
- A detection or anomaly is identified
- The response policy determines the appropriate action
- Action is taken automatically or manually by analysts
This allows you to balance security enforcement and Operational impact.
Response policy levels
Each policy defines how aggressively the platform responds to potential threats.
Off (Default)
The platform monitors your environment and generates alerts, but no response actions are taken.
- Passive monitoring only
- Threats and vulnerabilities are reported via AROs
- No automated or analyst-initiated intervention
Best for:
- Visibility without enforcement
- Highly sensitive environments where disruption must be avoided
Limited
Enables analyst-driven active response in confirmed or high-confidence scenarios.
- Responses are manually initiated by analysts
- Strong consideration is given to:
- Infrastructure type (server vs. desktop)
- Business impact (vulnerability vs. active threat)
Example actions:
- Isolating an infected host
- Blocking known malicious processes
- Locking a cloud account showing strong signs of compromise
Best for:
- Organizations that want controlled, human-reviewed intervention.
Balanced (Recommended)
Extends Limited policy capabilities with broader response coverage, including more automated actions.
- Combines analyst judgment + expanded response actions
- Still considers infrastructure and business impact
Example actions:
- Isolating compromised servers
- Automatically locking high-risk cloud accounts
- Blocking suspicious activity across hosts and networks
Best for:
- Most environments
- Balance between protection and operational stability
Aggressive
Maximizes protection by blocking or restricting activity wherever it appears suspicious.
- Prioritizes security over operational impact
- Lower threshold for triggering response actions
Example actions:
- Blocking anomalous processes and behavior
- Locking accounts suspected of compromise
- Restricting or disabling commonly abused tools:
PowerShell
- Remote administration tools (RATs)
Best for:
- High-risk environments
- Situations requiring rapid containment
Cloud Monitoring Considerations
Response policies extend to cloud-monitored activity, such as user access and service behavior. Active Response is
Policies may trigger based on:
- Suspicious logins
- API or service misuse
- Account compromise indicators
Cloud responses often prioritize:
- Account security actions (e.g., locking accounts)
- Alerting and escalation
Policy Categories
Detection policies are based on common attacker behaviors and are designed to protect against both known and unknown threats. Threat actors often operate across multiple categories, so overlapping protections provide stronger defense.
Key principle:
Focus is placed on blocking behaviors required for attacks, not just known malware—ensuring protection against emerging threats.
Core Protection Categories
The following protections are enabled by default (unless otherwise noted) and may trigger active responses depending on your response policy.
Endpoint Agent Protection (User selectable)
Prevents tampering with the endpoint agent.
Triggers:
- Attempting to stop or uninstall the agent
System Tampering Protection
Prevents weakening of system defenses.
Triggers:
- Disabling security software
- Lowering authentication settings
- Modifying certificates
Ransomware Protection
Detects behaviors associated with ransomware activity.
Triggers:
- Encryption attempts
- Backup deletion or tampering
- Suspicious ransomware tools or commands
Office Macros Protection
Defends against malicious document-based attacks.
Triggers:
- Macros executing unexpected processes
- Unauthorized file access behavior
Persistence Protection
Prevents malware from maintaining long-term access.
Triggers:
- Registry changes for auto-start
- Scheduled task modification
- Boot record tampering
Privilege Escalation Protection
Detects attempts to gain elevated access.
Triggers:
- Exploitation techniques
- Suspicious permission checks or commands
Propagation Protection
Stops lateral movement across systems.
Triggers:
- Remote command execution attempts
- Use of remote administration tools
- Web shell activity
General Malware Protection
Covers broad malicious behaviors across categories.
Triggers:
- Remote code execution
- Software injection or memory tampering
- Use of scripting tools (e.g., PowerShell)
- Known attacker tools (e.g., Mimikatz, Cobalt Strike)
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article