About SEM response actions

See Create a new rule to learn how to create an active response rule.

About SEM active response

An active response (also called an event response) is a SEM action in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response, the Detach USB Device active response, and so on.

The Select action type list in the rules builder provides a list of actions you can execute for a specific event. Each Respond command opens the Respond form. This form includes data from the field you selected and options for customizing the action—similar to configuring the active response for a rule in the Rule Creation.

The Respond menu is context-sensitive. The event type or cell currently selected in the event grid determines which responses you can choose.

Select an event response from an existing rule

Log in to the SEM Console.
On the toolbar, click Rules.
Select a rule in the list, click Edit, and then click Next.
Under Actions, click Add new action.
Select your response action type, and then click Next.
From the Define action drop-down lists, select your options based on the action type, and then click Add.
Adjust the details and actions, if needed, and then click Save.

See Create a new rule for additional guidance.

Use SEM active responses to perform Windows actions related to users, groups, and domains

Use the following user-based active responses to perform Windows-based actions related to users, groups, and domains on your SEM Agents.

Add Domain User To Group
Add Local User To Group
Create User Account
Create User Group
Delete User Account
Delete User Group
Disable Domain User Account
Disable Local User Account
Enable Domain User Account
Enable Local User Account
Log Off User
Remove Domain User From Group
Remove Local User From Group
Reset User Account Password

These actions are useful to respond to unauthorized change management activity and to automate user-related maintenance. They can be automated in a SEM rule, or executed manually from the Respond menu on the SEM Console.

Configure an active response connector on a SEM agent

Configure the Windows active response connector on each SEM agent that requires active responses.

You can deploy your SEM agents and configure the Windows active response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each computer that requires a response.

Log in to the SEM Console.
On the toolbar, click Configure > Nodes.
In the Refine Results column, expand Type and select the Agent check box.
Select an agent, and then click Manage node connectors.
In the search box, type Windows Active Response and then click the magnifying glass icon.
Under Available connectors, select the Windows Active Response connector.
Click Add Connector.
Enter a custom alias name for the new connector, or accept the default.
Click Add.
Under Configured connectors, select your configured connector.
Click Start.

The green indicator next to the connector name displays, indicating that the connector is started and running.

Actions SEM can take to respond to events

The following table lists the various actions a SEM Manager can take to respond to events. These actions are configured in the Respond form when you are initiating an active response, and in the rules window’s Actions box when you are configuring a rule's automatic response.

The table’s Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists the primary data fields that apply with each action. Some data fields will vary, depending on the options you select.