Taking Action on Threats
Execute response actions to contain and remediate security threats.
All actions include rollback capabilities and maintain a complete audit trail for compliance.
Response Actions Overview
CastellanAI provides automated and manual response actions to quickly contain threats and minimize damage.
| Capability | Description |
|---|---|
| AI-Suggested Actions | AI analyzes threats and suggests appropriate responses |
| Manual Execution | Security teams can manually trigger actions |
| Rollback Support | Undo actions within the rollback window |
| Audit Trail | Complete logging of all actions taken |
Available Response Actions
- 🚫 Block IP
- 🔒 Isolate Host
- 📦 Quarantine File
- 👁️ Add to Watchlist
- 🎫 Create Ticket
Block IP Address
Immediately block malicious IP addresses at the firewall level.
Common Uses:
- Brute force attacks from external IPs
- Command & control server communications
- Data exfiltration attempts
- Port scanning and reconnaissance
Rollback Window: 24 hours
IP blocks apply at the network perimeter. Internal traffic may require additional controls.
Isolate Endpoint
Disconnect a compromised endpoint from the network to prevent lateral movement.
Common Uses:
- Confirmed malware infections
- Ransomware detection
- Suspected lateral movement
- Privilege escalation attempts
Rollback Window: 48 hours
Host isolation disconnects the system completely. Coordinate with stakeholders before executing.
Quarantine File
Move suspicious files to a secure quarantine location for analysis.
Common Uses:
- Malware file detection
- Suspicious PowerShell scripts
- Trojan or backdoor executables
- Potentially unwanted programs (PUPs)
Rollback Window: 7 days
Add to Watchlist
Monitor suspicious entities with enhanced logging and alerting.
Common Uses:
- Suspicious user accounts
- Known threat actor IPs
- Compromised credentials
- High-risk endpoints
Rollback Window: 30 days
Create Incident Ticket
Automatically create tickets in your ticketing system.
Common Uses:
- Medium/High severity events requiring investigation
- Policy violations
- Compliance incidents
- Security audit findings
Rollback Window: N/A (ticket remains for audit)
How to Execute Actions
- 📋 From Event Details
- 🔔 From Alerts
- ⚙️ Manual Execution
From Event Details
- Navigate to Dashboard → Events
- Click on any security event to view details
- Review AI-suggested actions in "Recommended Actions"
- Click Execute on the desired action
- Confirm execution in the dialog
From Alert Notifications
- Receive alert via Teams/Slack/Email
- Click the "View Details" link in the alert
- Review event context and suggested actions
- Execute appropriate response action
Manual Action Execution
- Navigate to Dashboard → Actions
- Click "New Action" button
- Select action type and enter required parameters
- Review and execute
Manual execution allows targeting specific entities not linked to a security event.
Action Lifecycle
| Stage | Description |
|---|---|
| 1. Suggested | AI analyzes the threat and suggests appropriate actions |
| 2. Pending | Action queued for execution, awaiting confirmation |
| 3. Executed | Action successfully executed, state captured for rollback |
| 4. Rolled Back | Action undone within the rollback window |
Rollback Windows
| Action Type | Rollback Window | Notes |
|---|---|---|
| Block IP | 24 hours | Network rules removed |
| Isolate Host | 48 hours | Endpoint reconnected |
| Quarantine File | 7 days | File restored to original location |
| Add to Watchlist | 30 days | Enhanced monitoring removed |
| Create Ticket | N/A | Ticket remains for audit trail |
🔄 How to Rollback an Action
- Navigate to Dashboard → Actions
- Find the executed action in the list
- Click "Rollback" button (if within window)
- Confirm rollback in the dialog
- Action will be reversed and logged
Some actions cannot be rolled back after certain events (e.g., if malware executed after quarantine was rolled back).
Best Practices
| Practice | Description |
|---|---|
| Review Event Context | Always review full event details before executing |
| Start Less Disruptive | Begin with watchlist before escalating to isolation |
| Use Rollback Windows | Actions can be undone if needed |
| Document Decisions | Add notes explaining your rationale |
| Monitor Results | Verify execution status in Actions dashboard |
⚠️ Common Mistakes to Avoid
| Mistake | Impact | Solution |
|---|---|---|
| Isolating without stakeholder notice | Business disruption | Coordinate before critical actions |
| Blocking IP without investigating | May block legitimate traffic | Review context first |
| Ignoring rollback windows | Permanent action | Plan for potential reversal |
| Skipping documentation | Compliance gaps | Always add action notes |
What's Next?
| Guide | Description |
|---|---|
| Incident Workflows | Create automated incident response workflows |
| Investigating Events | Security event investigation techniques |
| Threat Remediation | Complete threat removal procedures |
| Generating Reports | Document your response actions |