Respond actions

Respond actions define what happens when a Respond rule’s conditions are met. Actions are used to reduce immediate risk or to surface activity for investigation, depending on configuration and connected data sources.

The actions that can be selected depend on:

The products and integrations connected to Kaseya MDR
The organization’s configuration
The permissions granted during Respond connection setup

Respond actions should be enabled only after the triggering pattern has been validated through investigation.

If you already use response automation in other integrated security products, continue managing those actions in those products. Use Kaseya MDR Respond actions when you want response behavior to be driven by MDR investigation and correlation.

Respond actions do not perform root‑cause analysis, forensic investigation, or long‑term remediation. They are intended to limit impact or restrict access while investigation and follow‑up continue.

Common Respond actions

Available actions vary by environment and integrations. The actions listed below are common examples you may see when configuring Respond rules.

Block sign‑in: Blocks the affected account from signing in to the connected identity provider. This action is typically used to prevent further access while an investigation is underway.
Expire account logins: Forces existing sessions for the affected account to expire. This action signs the account out of active sessions but does not, by itself, prevent future sign‑ins unless combined with additional actions.
Reset user password: Resets the password for the affected account. This action is commonly used to contain suspected credential compromise.
Force password change on next sign‑in: Requires the affected account to change its password the next time it signs in. This action can be used on its own or in combination with a password reset.
Alert‑only: Generates an alert when the Respond rule triggers, without executing any remediation actions. Alert‑only rules are recommended when validating new Respond rules, when automation is not appropriate, or when connected data sources do not support response actions. Alert‑only is a deliberate Respond outcome, not a failure state.

Using actions safely

Respond actions can affect user access and service availability. Before enabling automated actions:

Validate the triggering pattern using the Analysis page
Confirm that the rule triggers only for meaningful, high‑confidence activity
Understand the impact of each action on users and systems
Start with alert‑only behavior and review outcomes before enabling automation

Do not assume that an action fully resolves a security threat; use investigation results to guide any additional remediation outside the platform

Respond rules can generate alerts even when response actions are not available or not enabled. Automated actions require an active and healthy Respond connection for the affected organization.

Creating Respond rules: Walks through how to build Respond rules that correlate multiple signals into higher‑confidence alerts, including rule structure, scope, conditions, schedules, and response outcomes
Creating high‑confidence alerts with Respond rules: Design Respond rules that correlate multiple signals into meaningful, actionable alerts
Managing Respond connections: Explains how Respond connections enable response actions for each organization, how connection status affects execution, and how to identify and resolve broken connections

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.

Respond actions

Common Respond actions

Using actions safely

Related articles