Policy Actions
Enforce, block, isolate, and update policies by identity — triggering precise security responses directly from an AI assistant or automated workflow.
The policy action tools are the write side of the Threatmatic MCP server. They let an AI assistant or agent close the loop between what it observes (via events and posture) and what it enforces.
Every action targets a specific identity — a user, an application, a device, or a network destination — rather than a network segment or subnet. This means an agent can respond to a threat with surgical precision, leaving the rest of the environment untouched.
All actions are audited
Every tool call is recorded in the Threatmatic audit log with the API key, timestamp, and full
parameters. Policy actions taken by an AI agent are attributed as source: mcp_agent alongside
the agent name.
Tools
isolate_device
Moves a device into a quarantine micro-zone, cutting all network access except a designated management path.
{
"name": "isolate_device",
"description": "Isolate a device into a quarantine micro-zone, blocking all non-management traffic.",
"inputSchema": {
"type": "object",
"required": ["device_id"],
"properties": {
"device_id": {
"type": "string"
},
"reason": {
"type": "string",
"description": "Human-readable reason for isolation, recorded in the audit log"
},
"notify": {
"type": "boolean",
"description": "Send alert to the security operations team (default: true)",
"default": true
}
}
}
}Example:
{
"device_id": "dev_workstation_sarah_k",
"reason": "Anomaly: lateral movement to 14 internal hosts, confidence 0.97",
"notify": true
}release_device
Releases a device from quarantine and restores its previous policy set.
{
"name": "release_device",
"description": "Release a device from quarantine and restore its policy set.",
"inputSchema": {
"type": "object",
"required": ["device_id"],
"properties": {
"device_id": { "type": "string" },
"reason": { "type": "string" }
}
}
}block_destination
Blocks all fleet traffic to a specific IP address, CIDR range, or domain — immediately and across all devices.
{
"name": "block_destination",
"description": "Block all fleet traffic to an IP, CIDR, or domain.",
"inputSchema": {
"type": "object",
"required": ["destination"],
"properties": {
"destination": {
"type": "string",
"description": "IP address, CIDR range (e.g. 185.234.0.0/16), or domain pattern (e.g. *.attacker-domain.ru)"
},
"scope": {
"type": "string",
"enum": ["fleet", "device", "user"],
"description": "Apply block fleet-wide, or scope to a specific device or user (default: fleet)"
},
"scope_id": {
"type": "string",
"description": "Required when scope is 'device' or 'user'"
},
"expires_at": {
"type": "string",
"description": "ISO 8601 timestamp — block auto-expires at this time. Omit for permanent."
},
"reason": { "type": "string" }
}
}
}allow_destination
Explicitly permits traffic to a destination that would otherwise be blocked by default policy.
{
"name": "allow_destination",
"description": "Explicitly allow traffic to a destination for a specific device or user.",
"inputSchema": {
"type": "object",
"required": ["destination", "scope_id"],
"properties": {
"destination": { "type": "string" },
"scope": { "type": "string", "enum": ["device", "user"] },
"scope_id": { "type": "string" },
"reason": { "type": "string" }
}
}
}suspend_user
Suspends all network access for a user identity across every device they are active on.
{
"name": "suspend_user",
"description": "Suspend all network access for a user identity.",
"inputSchema": {
"type": "object",
"required": ["user_id"],
"properties": {
"user_id": { "type": "string" },
"reason": { "type": "string" },
"expires_at": { "type": "string", "description": "Auto-restore at this time if provided" }
}
}
}create_policy
Creates a new named policy scoped to specific identities.
{
"name": "create_policy",
"description": "Create a new policy targeting specific users, devices, apps, or destinations.",
"inputSchema": {
"type": "object",
"required": ["name", "rules"],
"properties": {
"name": {
"type": "string",
"description": "Human-readable policy name"
},
"description": { "type": "string" },
"rules": {
"type": "array",
"description": "Array of policy rules",
"items": {
"type": "object",
"properties": {
"identity_type": {
"type": "string",
"enum": ["user", "device", "app", "workload"]
},
"identity_id": { "type": "string" },
"action": {
"type": "string",
"enum": ["block", "allow", "monitor", "isolate", "require_mfa"]
},
"destination": {
"type": "string",
"description": "Optional destination constraint (IP, CIDR, domain, or app_id)"
}
}
}
},
"enabled": {
"type": "boolean",
"default": true
}
}
}
}update_policy
Updates the rules or status of an existing policy.
{
"name": "update_policy",
"description": "Update an existing policy.",
"inputSchema": {
"type": "object",
"required": ["policy_id"],
"properties": {
"policy_id": { "type": "string" },
"enabled": { "type": "boolean" },
"rules": { "type": "array" },
"reason": { "type": "string" }
}
}
}close_incident
Marks an active incident as resolved and optionally triggers cleanup actions.
{
"name": "close_incident",
"description": "Close an active incident.",
"inputSchema": {
"type": "object",
"required": ["incident_id"],
"properties": {
"incident_id": { "type": "string" },
"resolution": {
"type": "string",
"description": "Summary of how the incident was resolved"
},
"release_quarantined_devices": {
"type": "boolean",
"description": "Automatically release any devices isolated during this incident",
"default": false
}
}
}
}End-to-End Example
The following shows how an AI agent connects observation to action — detecting a ransomware lateral movement attempt and containing it automatically:
const tm = new MCPClient({ server: "threatmatic" });
// 1. Subscribe to critical anomalies
const stream = await tm.callTool("subscribe_events", {
filters: { event_type: "anomaly", severity: "critical" },
});
for await (const event of stream) {
const { device_id, anomaly_type, description, recommended_action } = event.data;
if (anomaly_type === "lateral_movement_attempt" && recommended_action === "isolate") {
// 2. Enrich with posture context
const posture = await tm.callTool("get_device_posture", { device_id });
// 3. Isolate the device
await tm.callTool("isolate_device", {
device_id,
reason: `Automated response: ${description}. Risk score: ${posture.risk_score}.`,
});
// 4. Block the C2 destinations seen in this event
for (const dest of event.data.observed_destinations ?? []) {
const intel = await tm.callTool("get_threat_context", { indicator: dest });
if (intel.reputation === "malicious") {
await tm.callTool("block_destination", {
destination: dest,
scope: "fleet",
reason: `C2 infrastructure — incident ${event.data.incident_id}`,
});
}
}
}
}Permission Scopes
API keys can be scoped to limit which policy actions an agent is permitted to take:
| Scope | Permissions granted |
|---|---|
read | Events, posture queries, threat context — no write access |
policy:read | Read existing policies |
policy:write | Create and update policies |
device:isolate | Isolate and release devices |
user:suspend | Suspend and restore user access |
destination:block | Block and allow network destinations |
incident:manage | Close incidents |
admin | All of the above |
Create API keys with the minimum scope needed for each agent. Keys are generated in the Threatmatic Console under Settings → API Keys.
How is this guide?
Last updated on
Security Posture
Query the current risk scores, anomaly flags, compliance state, and behavioral baselines for any device, user, or workload in your fleet.
Queen Message Queue
Using the @repo/mcp-queen server to interact with the Queen message queue at queen.trustzero.co — push, pop, peek, ack, and manage queues directly from an AI assistant.