TDR Indicator Actions and Outcomes

The Indicators page shows a list of indicators with status information and requested actions. For each indicator, you can see these actions and outcomes:

TDR Action Requested

The Action Requested column indicates the action recommended by TDR for an indicator from a Host Sensor. The available actions are:

Mark as Externally Remediated

Select this action if you have remediated the threat on the system itself. For example, if you have manually removed the file or ended the process specified in the indicator.

Delete Registry Value

Select this action to make the Host Sensor delete the registry value for the file or process specified in the indicator. This action deletes the registry value that references a malicious file.

Kill Process

Select this action to make the Host Sensor end the process specified in the indicator. This action applies to URL Match, Process, or Host Ransomware Prevention indicators. After the Host Sensor identifies the communication port, the Host Sensor ends the process that supports communication to the network port.

Quarantine File

Select this action to make the Host Sensor quarantine the file specified in the indicator. This action uses XOR to encrypt the content of a file so the file is not executable. The quarantined file remains on the host for the number of days specified in the Age Off For Quarantined Files setting. For more information, see Configure the Age Off For Quarantined Files.

If the Host Sensor quarantines a file, and you later decide the file is not a threat, you can go to the Hosts page to remove the file from quarantine. For more information, see Remove a File from Quarantine.

Whitelist

Select this action to add this indicator to the Whitelist as a known safe file or process. When you select this action, a whitelist signature override is created with the MD5 of the indicator. For more information about the Whitelist, see Configure TDR Signature Overrides.

Sandbox File

Select this action to make the Host Sensor upload the suspicious file to the sandbox for analysis. For more information, see TDR Sandbox Analysis by APT Blocker.

The Kill Process, Quarantine File, Delete Registry Value, and Sandbox File actions are the same actions you can configure in a policy. When you select these actions on the Indicators or Hosts pages, these actions are categorized as manual actions.

File Search

Select this action to make the host sensor identify files associated with this network indicator.

Process Search

Select this action to make the host sensor identify the process that generated the network connection associated with this indicator.

TDR Outcomes

The Outcome column indicates the status of the action listed in the Action Requested column. These are the available outcomes:

No Policy

Indicates that there is no policy to take action on this threat.

Successful

Indicates the action was successful and the threat was remediated.

Failure

Indicates that the action failed due to a permissions issue or because the threat was remediated by another action.

In Progress

Indicates that the requested action is currently In progress.

Blocked by Policy

Indicates a remediation policy blocked the requested remediation action.

Failed

Indicates that the action failed due to a permissions issue or because the threat was remediated by another action.

Throttled

The requested action has been delayed due to a high volume of requests.

Pending

the requested action has been completed and that the host sensor is waiting for the results.

See Also

TDR Indicator Actions and Outcomes