Configure the Disable Networking active response in SEM

Use the Disable Networking Active Response to disable networking on a SEM Agent at the Windows Device Manager level. Use this active response for isolating network infections and attacks. You can automate the active response in a SEM rule or manually execute the response from the Respond menu in the SEM console.

Use caution with this active response, because it responds to the SEM Agent at the Device Manager level. To avoid disabling networking unintentionally, consider placing new rules with this action in Test mode until you are sure your correlations are configured appropriately.

Configure the Windows Active Response connector on each SEM Agent where you need a Disable Networking active response.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Manage > Nodes.

  3. Locate the SEM Agent that requires a new connector.

  4. Next to the Agent, click , and then select Connectors.

  5. In the Refine Results search box, enter Windows Active Response.

  6. Next to the connector, click , and then select New.

  7. Enter a custom alias name for the new connector, or accept the default.

  8. Click Save.

  9. Next to the new connector, click , and then select Start.

  10. To exit the Connector Configuration window, click Close.

Re-enable networking on a computer affected by the active response

  1. Log in to the computer locally with administrative privileges.

  2. Open Control Panel, and then navigate to System and Security > Administrative Tools > Computer Management.

  3. In Computer Management, navigate to System Tools > Device Manager.
  4. Expand the Network adapters group.

  5. Select the network adapter, and then click Action > Enable.