Configure the Disable Networking active response in SEM
Use the Disable Networking Active Response to disable networking on a SEM Agent at the Windows Device Manager level. Use this active response for isolating network infections and attacks. You can automate the active response in a SEM rule or manually execute the response from the Respond menu on the SEM Console.
Use caution with this active response, because it responds to the SEM Agent at the Device Manager level. To avoid disabling networking unintentionally, consider placing new rules with this action in Test mode until you are sure your correlations are configured appropriately.
Configure the Windows active response connector on each SEM agent that requires active responses.
You can deploy your SEM agents and configure the Windows active response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each computer that requires a response.
- On the SEM Console, navigate to Configure > Nodes.
- Under Refine Results, expand the Type group, and then select the Agent check box.
- Select an agent, and then click Manage node connectors.
- In the search box, type Windows Active Response.
- Select the Windows Active Response connector, and then click Add Connector.
- Enter a custom alias name for the new connector, or accept the default, and then click Add.
- Under Configured connectors, select your configured connector, and then click Start.
Re-enable networking on a computer affected by the active response
-
Log in to the computer locally with administrative privileges.
-
Open Control Panel, and then navigate to System and Security > Administrative Tools > Computer Management.
- In Computer Management, navigate to System Tools > Device Manager.
-
Expand the Network adapters group.
-
Select the network adapter, and then click Action > Enable.