Taking Action on Threats
Execute response actions to contain and remediate security threats.
Response Actions Overview
CastellanAI provides automated and manual response actions to quickly contain threats and minimize damage. All actions include rollback capabilities and maintain a complete audit trail for compliance.
| Capability | Description |
|---|---|
| AI-Suggested Actions | AI analyzes threats and suggests appropriate response actions based on severity and context |
| Manual Execution | Security teams can manually trigger actions from event details or create custom response workflows |
Available Response Actions
Block IP Address
Immediately block malicious IP addresses at the firewall level to prevent further attacks.
Common Uses:
- Brute force attacks from external IPs
- Command & control server communications
- Data exfiltration attempts
- Port scanning and reconnaissance
Rollback Window: 24 hours
Isolate Endpoint
Disconnect a compromised endpoint from the network to prevent lateral movement and contain the threat.
Common Uses:
- Confirmed malware infections
- Ransomware detection
- Suspected lateral movement
- Privilege escalation attempts
Rollback Window: 48 hours
Quarantine File
Move suspicious files to a secure quarantine location for analysis while preventing execution.
Common Uses:
- Malware file detection
- Suspicious PowerShell scripts
- Trojan or backdoor executables
- Potentially unwanted programs (PUPs)
Rollback Window: 7 days
Add to Watchlist
Monitor suspicious entities (IPs, users, hosts) with enhanced logging and alerting for future activity.
Common Uses:
- Suspicious user accounts
- Known threat actor IPs
- Compromised credentials
- High-risk endpoints
Rollback Window: 30 days
Create Incident Ticket
Automatically create tickets in your ticketing system (Jira, ServiceNow) for incident tracking and resolution.
Common Uses:
- Medium/High severity events requiring investigation
- Policy violations
- Compliance incidents
- Security audit findings
Rollback Window: N/A (ticket remains for audit)
How to Execute Actions
From Event Details
- Navigate to Dashboard -> Events
- Click on any security event to view details
- Review AI-suggested actions in the "Recommended Actions" section
- Click "Execute" on the desired action
- Confirm execution in the dialog
From Alert Notifications
- Receive alert via Teams/Slack/Email
- Click the "View Details" link in the alert
- Review event context and suggested actions
- Execute appropriate response action
Manual Action Execution
- Navigate to Dashboard -> Actions
- Click "New Action" button
- Select action type and enter required parameters
- Review and execute
Action Lifecycle
| Stage | Description |
|---|---|
| 1. Suggested | AI analyzes the threat and suggests appropriate actions based on severity and context |
| 2. Pending | Action is queued for execution and awaiting confirmation or automated trigger |
| 3. Executed | Action has been successfully executed on the target system. State is captured for potential rollback |
| 4. Rolled Back | Action can be undone within the rollback window if determined to be a false positive or no longer needed |
Best Practices
- Review Event Context - Always review the full event details and correlation data before executing actions
- Start with Less Disruptive Actions - Begin with watchlist additions before escalating to isolation or blocking
- Use Rollback Windows - Actions can be rolled back within their respective windows if needed
- Document Your Decisions - Add notes to actions explaining your rationale for compliance and future reference
- Monitor Action Results - Check the Actions dashboard to verify execution status and review any failures
What's Next?
- Incident Workflows - Learn how to create automated incident response workflows
- Investigating Events - Deep dive into security event investigation techniques
- Generating Reports - Create compliance reports documenting your response actions
Automated Response Playbooks
Configure automated response playbooks to execute actions immediately when specific threat patterns are detected. Reduce response time from minutes to seconds.