Response History
The Response History page provides a centralized audit trail of all response action executions across your environment. Use it to track what actions were taken, when, by whom, and on which resources, without navigating individual events.
To access it, select Detection & Response > Respond > Response History.
Prerequisites
To view the Response History, you need a role with the Response Actions READ permission. This is included by default in the Admin, Advanced User, and Team Manager roles. See Role management.
Filter Response Actions
Use the filter bar at the top of the page to narrow the list of executions. The following filters are available:
| Filter | Description |
|---|---|
| Action Name | Filter by action type, grouped by Containment and Data Gathering categories. |
| Execution Time | Filter by the date when the action was executed. |
| Triggered By | Filter by the user who manually triggered the action or the automation that triggered it. |
| Account ID | Filter by cloud account ID. |
| Host | Filter by host name. |
| Cluster | Filter by Kubernetes cluster name. |
| Status | Filter by execution status, such as Ok or Error. |
Review Execution Details
The Response History table displays the following columns:
| Column | Description |
|---|---|
| Execution Time | The timestamp when the action was executed. Results are sorted by most recent first. |
| Action | The name of the response action, such as Kill Container or Isolate Network. |
| Status | The execution status: Ok or Error. Hover over an Error status to see the failure reason. |
| Resource | The target resource, such as a cluster name, host, or cloud account. |
| Triggered By | The user who triggered the action manually, or the name of the automation that triggered it. |
Click a row to open the detail panel, which contains:
- Metadata: The action description, type (Containment or Data Gathering), execution status, timestamp, and who triggered it. If the action was triggered by an automation, the automation name is clickable and navigates to its details.
- Inputs: The parameters used for the action, such as Cluster, Namespace, Workload Type, Workload Name, Host, AWS Region, or other context-specific fields.
- Outputs: The data produced by the action, such as a Network Policy Name, Quarantined File Path, or Snapshot IDs. This section only appears when the action produces output.
Revert a Response Action
For reversible actions, a revert button appears at the top of the detail panel. For example:
- Isolate Network: Shows a Delete Network Policy button.
- Pause Container: Shows an Unpause Container button.
- IAM Quarantine: Shows an IAM Unquarantine button.
- Make Private Cloud Resource: Shows an Undo Make Private button.
You cannot revert actions that ended in error.
For the full list of actions and their reverse actions, see Response Actions.
Download Action Artifacts
For data-gathering actions that produce downloadable files, a Download File button appears at the top of the detail panel. This applies to:
- Get Logs: Downloads collected Kubernetes logs.
- Fetch Cloud Logs: Downloads collected CloudTrail logs.
- File Acquire: Downloads the captured file.
The download button is only available when the action completed successfully.
