Arctic Wolf® Active Response includes these response actions.

Contain a host/Remove from containment

Containing a host isolates a device from a network. Depending on the integration, this may include preventing the device from communicating externally or with other devices on the network. Lifting containment, once safe, reintegrates the device into the network.

Quarantine a file/Remove from quarantine

Quarantining a file adds a quarantine extension moves it to a protected quarantine folder. Removing the file from quarantine restores the format and original location.

Disable/Enable a user

Disabling a user account prevents a user from being able to sign in. Depending on the integration, it may close active sessions. Enabling a user restores authentication abilities.

Close user connections

This action signs the user out and revokes all active sessions.

Add/Remove a user from a security group

These actions grant or revoke access to a particular security group. Security groups often control access to resources, systems, and applications within an organization.

Generally, removing a user from a group restricts access to organizational assets. Microsoft Entra ID supports conditional access groups, and if configured, adding a user to that group restricts access to cloud-based organizational assets.

Force a password reset

This action forces a password reset, which invalidates potentially compromised credentials and prompts a user to create a new password.

Delete a malicious email

Depending on the integration, this action:

• Abnormal Security — Remediates all emails based on a threat ID. If multiple emails are associated with a single threat ID, all instances are moved to the Junk or Deleted Items folder, depending on your organization's remediation policy.
• Microsoft 365 — Sends a request to the email client to move an email to either the Junk or Deleted Items folder for a specific user, based on the response action taken. This action only applies to the email that prompted the eligible incident.
• Mimecast — Deletes an email based on its message ID. If an email is sent to multiple people in the organization using the same message ID, each instance of the email is deleted.

Add a malicious IP address to a denylist

This action places an IP address on a denylist, allowing a firewall to block the IP address from accessing the network.

Block a malicious URL

This action places a URL on a denylist for a secure web gateway, preventing all users in your organization from accessing that web address.