Most enterprise security tools, however much information they collect about an endpoint, in the end only report. During an incident, IT picks up the phone, calls the user, asks them to shut the device down. Hours pass. The attacker is still on the network.
The same problem shows up in distributed operations. When a new policy needs to apply across the entire device estate, classic tools push a file, hope the user reboots, and have no idea for days which device is actually done.
This gap — between passive observation and active management — is what ETM remote actions close. Commands flow to the device over the agent's secure channel, results come back live, and the audit trail is complete.
TR7 ETM runs everything from observation to management through a single agent; actions are always under policy and audit.
An operator or SOC analyst runs a structured query to ask the device estate about its current state: 'which devices have this software installed?', 'who is connecting to this IP?', 'which devices restarted their EDR in the last 5 minutes?'. Answers arrive in seconds.
An authorized operator pushes commands to specific devices or the entire device estate: restart a service, install a patch, change configuration, fetch a file, drop a file. Every action is recorded in the audit trail.
On incident or high-risk detection, a device is severed from the network — internet access blocked, only the ETM management channel kept open. The attacker's lateral movement closes; the device stays open for remote investigation.
For every command, the authorized user identity, action reason, and target selection are audited. High-risk actions can require approval chains; one operator's request may not execute without another operator's sign-off.
Remote action is ETM's active management layer for incident response, operations, and compliance teams.
A structured query language queries thousands of devices at once. 'Which devices have disk encryption disabled?', 'Which devices run this driver version?', 'Were any new admin accounts created in the last 24 hours?' — answers in seconds.
With operator approval, pre-defined scripts or controlled system commands execute on the device. Service restarts, log collection, temporary fixes, registry/plist edits — routine operations happen remotely.
Patch packages, configuration files, or forensic log/dump files can be uploaded to or downloaded from the device. All transfers flow over ETM's secure channel; no separate file share is required.
A SOC analyst or policy automation can terminate a specific process on one device or estate-wide. The spread of suspicious software, an unexpected service, or a high-resource-consuming process is stopped immediately.
A device can be isolated due to incident, EDR alarm, or policy violation. During isolation, internet access, internal network resources, and service connectivity are blocked; only the ETM management channel stays open. SOC continues investigating remotely.
A new firewall rule, a new certificate trust, or a modified audit policy is delivered from a single central definition to the entire device estate. Apply state per device is monitored live; failed applications retry automatically or surface to operators.
Action targets aren't only static groups — they're dynamic criteria. 'all Linux devices,' 'finance team devices,' 'devices flagged non-compliant in the last hour' as live query results convert directly into target lists.
High-risk actions — estate-wide file deletion, core service restart, network isolation — can require multi-party approval chains. One operator's request doesn't execute without sign-off from another authorized operator.
After a command is sent, each device's response is visible live: succeeded, failed, offline, pending. Operators see which devices are complete within seconds; incomplete tasks retry or surface for manual intervention.
Who, when, to which device, which command, with what justification — every action is recorded in the audit trail. Command output and the device's response are stored in correlation. Audit records can be streamed to SIEM and used as evidence in audit processes.
Remote action integrates into security and operations workflows — command palette, automation, audit, and reporting included.
Which operator can act on which device group, with which actions, is defined explicitly. A SOC analyst gets incident response actions; an IT operator gets patching and configuration actions; restricted operators only run queries.
Repeated actions can be stored as playbooks: 'when EDR agent stops → isolate the device + notify SOC + collect last 24h log dump'. Playbooks bind as triggers to ETM events.
If the device is offline when a command is issued, the action is queued. When the device reconnects, queued commands run automatically and report results to the operator. Queue time can be policy-bounded — for example, auto-cancel after 24 hours.
Actions are graded by impact surface into risk levels. Low-risk queries can run with a single operator; high-risk bulk actions require second approval. Risk levels are configurable per organizational policy.
Every remote action's audit record can be forwarded to SIEM. Compliance teams use ETM actions for regulatory reporting; critical for insider response audit in finance and healthcare especially.
The command dispatch, target selection, and result aggregation architecture supports tens of thousands of devices receiving commands in a single estate-wide action. Per-device response time is parallel and unaffected by device estate size.
On EDR alarm, a SOC analyst cuts the affected device from the network with one click. The attacker's lateral movement closes; the device stays open for remote forensics. Manual phone-tree processes and hours of delay disappear.
When a new CVE is disclosed, IT runs the patching playbook; affected devices are found via live query, the patch file flows down, install status reports back. Hours of manual work collapse into minutes.
For investigation, log files, memory dumps, or configuration snapshots flow from the device remotely. The device doesn't leave the user's hands, the user's workflow doesn't break, and investigation material arrives through the secure channel.
During audit, questions like 'is disk encryption active on all devices?' or 'is EDR running everywhere?' get answers in seconds. Instead of manual inventory reports, a live evidence chain is delivered.
Let's see ETM Remote Actions live in your environment — a deployment session that includes playbook design.