Configure the Kill Process active response in LEM

Use the Kill Process active response to end Windows-based processes in your LEM Agents. This response helps to stop suspicious or unauthorized processes. You can automate the response using a LEM rule or manually execute the response from the Respond menu in the LEM console.

Configure the Windows Active Response connector on a LEM Agent where you need an active response.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  1. On the LEM toolbar, navigate to Manage > Nodes.

  2. Locate the LEM Agent that requires a new connector.

  3. Next to the Agent, click , and then select Connectors.

  4. In the Refine Results search box, enter Windows Active Response.

  5. Next to the connector, click , and then select New.

  6. Enter a custom alias name for the new connector, or accept the default.

  7. Click Save.

  8. Next to the new connector, click , and then select Start.

  9. To exit the Connector Configuration window, click Close.

Configure a Kill Process active response rule

You can configure the rule a process by the detection IP address or the process name. Determine the type of event that trigger the rule, which is typically an event like ProcessAudit.

The Kill Process active response functions according to the ProcessID field value of the corresponding LEM alert. Use Kill Process By ID when the ProcessID value is a number, and use Kill Process By Name when the ProcessID value is a name.

When you create LEM rules that utilize these actions, consider using both to account for variations in Windows logging.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Build > Rules.

  3. To create a new rule, select a rule template or an existing rule, or click in the toolbar.

  4. Enter a name and description for the rule.

  5. To kill a process by the detection IP address:

    1. In the left pane, click Events, and then select ProcessAudit.

    2. In the Fields: ProcessAudit list, drag DetectionIP into the Correlations box.

    To kill a process by name:

    1. In the left pane, click Events, and then select ProcessAudit.

    2. In the Fields: ProcessAudit list, drag DetectionIP into the Correlations box.

    3. In the Fields: ProcessAudit list, drag SourceAccount into the Correlations box.

  6. In the left pane, click Actions, and then drag Kill Process By ID or Kill Process By Name into the the Actions box.

  7. Click Save.
  8. Click Activate Rules.