Analyzing a Respond trigger

When a Respond rule triggers, Kaseya MDR records the outcome as an alert. Reviewing a Respond trigger helps you confirm why the rule fired, whether the correlated pattern reflects meaningful risk, and whether the rule is behaving as intended in real conditions.

This review is not just about understanding what happened. It is the point where you decide whether a Respond rule is ready to remain as‑is, needs refinement, or should change how it responds. A Respond trigger does not confirm a security threat or that response actions were sufficient.

Use this article whenever a Respond rule fires and you want to validate confidence, scope, and outcome before expanding its use or enabling automation.

Reviewing a Respond trigger

To review a Respond trigger:

Open Analysis.
Locate the alert generated by the Respond rule.
Open the alert details and review:
- The Respond rule that triggered
- The contributing events or alerts
- The sequence and timing of activity
- The response outcome (alert‑only, manual approval, or automated action)

Always review at least one representative example of the activity that caused the trigger. Focus on whether the correlated behavior reflects meaningful risk or expected activity in this environment.

Understanding the outcome

After reviewing the trigger, confirm which outcome occurred:

Alert‑only: The rule surfaced correlated activity for visibility, but no response action was taken.
Manual approval: Review is required before any response occurs. This is commonly used when confidence is high but human validation is still required.
Automated response: A response action was executed based on the rule configuration and available Respond connections.

If the outcome does not match expectations, review the rule’s scope, conditions, and time window before expanding its use or enabling additional actions.

Reviewing why the rule triggered

To understand why a Respond rule triggered, review the correlated activity associated with the trigger. Focus on:

Which events or alerts contributed to the trigger
The sequence and timing of activity
The user, device, or organization involved
Whether the activity spans multiple systems or domains

Use the Analysis page to examine at least one representative example. Reviewing the full sequence helps confirm whether the pattern reflects meaningful risk or a known, expected scenario.

If the contributing alerts or events are unclear, review how detection logic and IOCs surface signals before correlation in Detection, IOCs, and Respond rules.

Evaluating the outcome

When reviewing a Respond trigger, confirm which outcome occurred:

Alert‑only behavior indicates that the rule surfaced activity for visibility without taking action.
Manual approval indicates that review is required before any response occurs.
Automated outcomes indicate that a response action was executed based on the rule configuration and available connections.

Understanding the outcome helps determine whether the rule is behaving as intended and whether additional investigation or adjustment is needed.

What this review tells you

Reviewing a Respond trigger should lead to one of a small number of clear decisions:

If the trigger consistently reflects meaningful risk: The Respond rule is likely behaving as intended. If it is currently alert‑only, it may be a candidate for manual approval or automation, depending on impact and confidence.
If the trigger reflects expected or low‑risk behavior: Keep the rule alert‑only, refine its scope, or reconsider whether Respond is the right tool. In some cases, suppression or tuning may be more appropriate.
If the trigger fires too broadly or unexpectedly: Refine the rule’s conditions, scope, or time window. If the behavior does not require correlation to be understood, Respond rules may not be necessary.

The goal is not to automate more actions, but to ensure Respond rules surface patterns that genuinely change investigation or response decisions.

If repeated Respond triggers reflect expected behavior rather than risk, return to Managing repeated alerts or Managing noise and signal to reduce escalation without expanding Respond automation.

Deciding next steps

After analysis:

If the activity is expected or low risk, no action may be required.
If the activity represents real risk, proceed according to your response process.
If the rule triggered too broadly or unexpectedly, refine conditions or revert to alert‑only behavior while tuning.

Relationship to Respond rules and actions

This article focuses on reviewing and interpreting Respond triggers during daily operations. It does not describe how to build Respond rules, enumerate available Respond actions, or explain connection requirements. Use this article after a Respond rule fires, not when designing the rule for the first time.

Creating high‑confidence alerts with Respond rules: Design Respond rules that surface meaningful patterns rather than isolated activity
Creating Respond rules: Build and modify Respond rules, including triggers, conditions, and schedules
Respond actions: Understand available response actions and when alert‑only behavior is appropriate.
Managing Respond connections: Verify that Respond actions can run for each organization

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.