Configure the Disable Networking active response in LEM

Use the Disable Networking Active Response to disable networking on a LEM Agent at the Windows Device Manager level. Use this active response for isolating network infections and attacks. You can automate the active response in a LEM rule or manually execute the response from the Respond menu in the LEM console.

Use caution with this active response, because it responds to the LEM Agent at the Device Manager level. To avoid disabling networking unintentionally, consider placing new rules with this action in Test mode until you are sure your correlations are configured appropriately.

Configure the Windows Active Response connector on each LEM Agent where you need a Disable Networking active response.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Manage > Nodes.

  3. Locate the LEM Agent that requires a new connector.

  4. Next to the Agent, click , and then select Connectors.

  5. In the Refine Results search box, enter Windows Active Response.

  6. Next to the connector, click , and then select New.

  7. Enter a custom alias name for the new connector, or accept the default.

  8. Click Save.

  9. Next to the new connector, click , and then select Start.

  10. To exit the Connector Configuration window, click Close.

Re-enable networking on a computer affected by the active response

  1. Log in to the computer locally with administrative privileges.

  2. Open Control Panel, and then navigate to System and Security > Administrative Tools > Computer Management.

  3. In Computer Management, navigate to System Tools > Device Manager.
  4. Expand the Network adapters group.

  5. Select the network adapter, and then click Action > Enable.