search
ProductBook a demoOpen app

Response Actions in Cases

Execute coordinated remediation actions on specific artifacts within a case.

Radiant Cases allow you to take direct action on the key artifacts associated with an attack. Rather than switching between external tools, you can execute response actions, such as blocking URLs, disabling users, or isolating endpoints, directly from the case view.

For a complete list of available response actions and their requirements, see the Radiant Response Actions guide.

hashtag
Prerequisites

hashtag
Execute a response action

Response actions are organized by key artifact type (Users, IPs, URLs) within the case Overview tab. You can act on a single artifact or perform bulk actions on multiple items at once.

To execute a response action:

  1. Navigate to the Overview tab of your case.

  2. Locate the relevant artifact table (e.g., Source IP) and check the box next to the specific items you want to target.

circle-info

Note: You must select at least one artifact to enable the action buttons.

  1. Click the appropriate action button located at the top-right of the table (e.g., Block IP address).

  2. A confirmation modal will appear listing the specific artifacts you are about to impact. Review the list carefully, then click the confirmation button (e.g., Block IP address) to execute.

hashtag
Verify action status

Once an action is initiated, Radiant provides real-time feedback directly in the artifact table so you can track its progress.

  • Look at the Actions taken column in the artifact row. It will update immediately to reflect the current state (e.g., Taking action: Enable User or Error: Enable user).

  • For more detail, click the row or the side-drawer icon. The Response tab in the artifact drawer shows a complete Action history, including who executed them, when they occurred, and their final result.

hashtag
Reverse an action

If you need to undo a remediation step (for example, re-enabling a user after an investigation clears them), you can often do so directly from the same view.

  1. Select the artifact again.

  2. Look for the inverse action button in the header (e.g., Enable user vs. Disable user).

  3. Confirm the action to restore the original state.

circle-exclamation

Important note: Not all actions are reversible (e.g., hard deleting data). Always verify your selection in the confirmation modal before proceeding.

PreviousRadiant Response ActionsNextAudit Response Actions

Last updated

Was this helpful?