Use Computer-based active responses in LEM

To perform Windows-based actions related to computers and computer services on your LEM Agents, use the following Computer-based active responses. These actions are useful to respond to insider abuse, computer infections, and other suspicious activity. They can be automated in a LEM rule, or executed manually from the Respond menu in the LEM console.

  • Disable Windows Machine Account1
  • Enable Windows Machine Account1
  • Disable Networking
  • Detach USB Device
  • Restart Machine
  • Restart Windows Service
  • Send Popup Message
  • Shutdown Machine
  • Start Windows Service
  • Stop Windows Service


Configure the Windows Active Response connector on each LEM Agent on which you want to be able to use these active responses.

Deploy your LEM Agents and configure the Windows Active Response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a LEM Agent to at least one domain controller. To perform actions at the local level, deploy a LEM Agent to each computer you want to be able to respond to.

To configure the Windows active response connector on a LEM Agent

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Manage > Nodes.

  3. Locate the LEM Agent on which you want to enable the connector.

  4. To the left of the LEM Agent, click , and then select Connectors.

  5. Enter Windows Active Response in the Search box at the top of the Refine Results pane.
  6. Next to the connector, click , and then select New.

  7. Enter a custom Alias for the new connector, or accept the default.

  8. Click Save.

  9. Next to the new connector, denoted by an icon in the Status column, Click , and then select Start.

  10. To exit the Connector Configuration window, click Close.

Create or clone rules to perform the action:

  1. When creating or cloning a rule, locate the action in the lower left part of the Rule Creation screen.

  2. Drag the action under the rule Actions.

  3. Fill in the appropriate fields.