Use the Append Text to File active response in SEM

Use the Append Text To File active response to append static or dynamic text to a flat text file on your network. This action is useful for keeping a running list of deployed SEM Agents or tracking certain types of activity across several users and computers. You can automate this response with a SEM rule, or execute it manually from the Respond menu in the SEM console.

Requirements

To use this active response, ensure that the file you want to append already exists. Follow these guidelines when creating the file:

  • Use a .txt file, or a similar flat-text file format.

  • Avoid using spaces in the file path or name.

  • Note the complete file path and name, because you will need it to configure the active response.

Configure the Append Text to File active response and Windows active response connectors on each SEM Agent on which you want to be able to use this active response.

To configure the Append Text to File action in a rule:

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Rules.
  3. Create a new rule or edit an existing rule that triggers on a specific event.

  4. Open the rule to edit, and then select Actions in the left pane.

  5. Drag the Append Text to File action from the left to the Actions box under the rule.

  6. In the left pane, click Constants, and then drag the Text field to the empty box next to File Path under the Append Text to File action.

  7. Using the same event stated in the Correlations, select the event from the Events list on the left and drag the DetectionIP field from the Fields list to the Agent under this action.

  8. Fill in the directory structure in the File Path under this action, indicating the name of the file.

  9. The Test field under the Append Text to File label will contain the text that you are inserting into the file. If using plain text, drag the Text constant from the left to the empty box in the Text field.

  10. Save the rule.

To configure the Append Text to File Active Response connector on a SEM Agent:

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Manage > Nodes.

  3. Locate the SEM Agent on which you want to enable the connector.

  4. To the left of the SEM Agent, click , and then select Connectors.

  5. In the search box at the top of the Refine Results pane, enter Append Text to File.

  6. Next to the connector, click , and then select New.

  7. Enter a custom Alias for the new connector, or accept the default.

  8. Specify whether you want the connector to append data to a new line in the How to append menu.

  9. Specify a Maximum file size(MB) or accept the default.

  10. Click Save.

  11. Next to the new connector, denoted by an icon in the Status column, click , and then select Start.

  12. To exit the Connector Configuration window, click Close.

To configure the Windows active response connector on a SEM Agent:

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Manage > Nodes.

  3. Locate the SEM Agent on which you want to enable the connector.

  4. To the left of the SEM Agent, click , and then select Connectors.

  5. In the Search box at the top of the Refine Results pane, enter Windows Active Response.

  6. Next to the connector, click , and then select New.

  7. Enter a custom Alias for the new connector, or accept the default.

  8. Click Save.

  9. Next to the new connector, denoted by an icon in the Status column, click , and then select Start.

  10. To exit the Connector Configuration window, click Close.