What MDR Operations team can do
This page describes the actions that our MDR Operations team can take if you authorize it to respond to threats for you.
We only take action when necessary. However, if you choose the Authorize threat response when you set up MDR, our team will respond to active threats without consulting your contacts first.
If you prefer not to let the MDR Operations team act without consulting, choose the Collaborate threat response instead. To do this, see Set the threat response.
For more information on the different threat response settings, see MDR threat response.
Actions with Live Response
The MDR Ops team can use Live Response to connect to devices and take action. You must have Live Response turned on to allow us to do this. See Set up and start Live Response.
Here are some actions the team can take:
- Disable users
- Delete users
- End sessions
- End malicious processes
- Delete files
- Browse folders
- Remove scheduled tasks
- Remove processes
Actions with Sophos Central
From General Settings in Sophos Central, the team can do as follows:
- Isolate devices
- Block applications
- Block IP addresses
Actions with Microsoft 365
The MDR Operations team can use Microsoft 365 Response Actions if you've set up that integration.
The team can do as follows:
- Block or allow user sign-ins. This helps to stop unauthorized access.
- Disconnect or revoke all current sessions. This helps to isolate compromised accounts.
- Turn off inbox rules for users. This helps stop malicious forwarding of sensitive emails, security evasion tactics, deletion of evidence, and more.
To set up Microsoft 365 Response Actions, see Microsoft 365 Response Actions.
Actions with Sophos Firewall
If you have Sophos Firewall, we can interact with the XG Firewall Threat Feeds. For example, if a critical incident occurs, we can terminate the VPN sessions of compromised users.