Documentation forSecurity Event Manager

Use computer-based active responses in SEM

To perform Windows-based actions related to computers and computer services on your SEM agents, employ the following Computer-based active responses in your deployment:

  • Disable Windows Machine Account1
  • Enable Windows Machine Account1
  • Disable Networking
  • Detach USB Device
  • Restart Machine
  • Restart Windows Service
  • Send Popup Message
  • Shutdown Machine
  • Start Windows Service
  • Stop Windows Service

These actions can hep you respond to insider abuse, computer infections, and other suspicious activity. They can be automated in a SEM rule, or executed manually from the Respond menu on the SEM Console.

Requirements

Configure the Windows Active Response connector on each SEM agent that responds to the active responses.

Deploy your SEM agents and configure the Windows Active Response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent on at least one domain controller. To perform actions at the local level, deploy a SEM agent on each computer you want to respond to when action is required.