Configure the Kill Process active response in SEM

Use the Kill Process active response to end Windows-based processes in your SEM Agents. This response helps to stop suspicious or unauthorized processes. You can automate the response using a SEM rule or manually execute the response from the Respond menu in the SEM console.

Configure the Windows active response connector on each SEM Agent that requires active responses.

You can deploy your SEM agents and configure the Windows active response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each computer that requires a response.

  1. In the SEM Events Console, click the Nodes tab.
  2. Under Refine Results, expand the Type group, and then select the Agent check box.
  3. Select an agent, and then click Manage node connectors.
  4. In the search box, type Windows Active Response.
  1. Select the Windows Active Response connector, and then click Add Connector.
  2. Enter a custom alias name for the new connector, or accept the default, and then click Add.
  3. Under Configured connectors, select your configured connector, and then click Start.

Configure a Kill Process active response rule

You can configure the rule to process by the detection IP address or the process name. Determine the type of event that trigger the rule, which is typically an event like ProcessAudit.

The Kill Process active response functions according to the ProcessID field value of the corresponding SEM alert. Use Kill Process By ID when the ProcessID value is a number, and use Kill Process By Name when the ProcessID value is a name.

When you create SEM rules that utilize these actions, consider using both to account for variations in Windows logging.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Rules.

  3. To create a new rule, select a rule template or an existing rule, or click in the toolbar.

  4. Enter a name and description for the rule.

  5. To kill a process by the detection IP address:

    1. In the left pane, click Events, and then select ProcessAudit.

    2. In the Fields: ProcessAudit list, drag DetectionIP into the Correlations box.

    To kill a process by name:

    1. In the left pane, click Events, and then select ProcessAudit.

    2. In the Fields: ProcessAudit list, drag DetectionIP into the Correlations box.

    3. In the Fields: ProcessAudit list, drag SourceAccount into the Correlations box.

  6. In the left pane, click Actions, and then drag Kill Process By ID or Kill Process By Name into the the Actions box.

  7. Click Save.
  8. Click Activate Rules.