About SEM response actions
See Create a new rule to learn how to create an active response rule.
About SEM active response
An active response (also called an event response) is a SEM action in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response, the Detach USB Device active response, and so on.
The Select action type list in the rules builder provides a list of actions you can execute for a specific event. Each Respond command opens the Respond form. This form includes data from the field you selected and options for customizing the action—similar to configuring the active response for a rule in the Rule Creation.
The Respond menu is context-sensitive. The event type or cell currently selected in the event grid determines which responses you can choose.
Select an event response from an existing rule
- Log in to the SEM Console.
- On the toolbar, click Rules.
-
Select a rule in the list, click Edit, and then click Next.
- Under Actions, click Add new action.
- Select your response action type, and then click Next.
- From the Define action drop-down lists, select your options based on the action type, and then click Add.
- Adjust the details and actions, if needed, and then click Save.
See Create a new rule for additional guidance.
Use SEM active responses to perform Windows actions related to users, groups, and domains
Use the following user-based active responses to perform Windows-based actions related to users, groups, and domains on your SEM Agents.
- Add Domain User To Group
- Add Local User To Group
- Create User Account
- Create User Group
- Delete User Account
- Delete User Group
- Disable Domain User Account
- Disable Local User Account
- Enable Domain User Account
- Enable Local User Account
- Log Off User
- Remove Domain User From Group
- Remove Local User From Group
- Reset User Account Password
These actions are useful to respond to unauthorized change management activity and to automate user-related maintenance. They can be automated in a SEM rule, or executed manually from the Respond menu on the SEM Console.
Configure an active response connector on a SEM agent
Configure the Windows active response connector on each SEM agent that requires active responses.
You can deploy your SEM agents and configure the Windows active response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each computer that requires a response.
-
Log in to the SEM Console.
-
On the toolbar, click Configure > Nodes.
-
In the Refine Results column, expand Type and select the Agent check box.
-
Select an agent, and then click Manage node connectors.
-
In the search box, type
Windows Active Response
and then click the magnifying glass icon. -
Under Available connectors, select the Windows Active Response connector.
-
Click Add Connector.
-
Enter a custom alias name for the new connector, or accept the default.
-
Click Add.
-
Under Configured connectors, select your configured connector.
-
Click Start.
The green indicator next to the connector name displays, indicating that the connector is started and running.
Actions SEM can take to respond to events
The following table lists the various actions a SEM Manager can take to respond to events. These actions are configured in the Respond form when you are initiating an active response, and in the rules window’s Actions box when you are configuring a rule's automatic response.
The table’s Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists the primary data fields that apply with each action. Some data fields will vary, depending on the options you select.
Action | Description | Fields |
---|---|---|
Add Domain User To Group | This action adds a domain user to a specified user group that resides on a particular Agent. |
Domain Controller Agent Select the event field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines the group that is to be modified. Username Select the event field or constant that defines the user who is to be added to the group. |
Add Local User To Group | This action adds a local user to a specified user group that resides on a particular Agent. |
Agent Select the event field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines the group that is to be modified. Username Select the event field or constant that defines the user who is to be added to the group. |
Add User-Defined Group Element |
This action adds a new data element to a particular user-defined group. |
User-Defined Group Element From the User-Defined Groups list, select the User-Defined Group that is to receive the new data Element. Value Select the event field or constant that defines the data element that is to be added to the specified User-Defined Group. The fields will vary according to which User-Defined Group you select. |
Append Text To File |
This action appends text to a file. This allows you to data from an event and put it in a text file. |
Agent Select the event field or constant that defines the Agent on which the file to be appended is located. File Path Select the event field or constant that defines the path to the Agent file that is to be appended with text. Text Select the event field or constant that defines the text to be appended to file. |
Block IP |
This action blocks an IP address. |
IP Address Select the event field or constant that identifies the device’s IP address. |
Create User Account |
This action creates a new user account on an Agent. |
Agent Select the event field or constant that defines the Agent on which the new user account is to be added. To create a user account at the domain level, specify a domain controller as the Agent. Account Name Select the event field or constant that names the account that is to be created. Account Password Select the event field or constant that defines the password that is to be assigned to the new account. |
Create User Group |
This action creates a specified user group on an Agent. A user group is a new group of Windows users on a Windows PC, server, or network who are external to the SEM system. |
Agent Select the event field or constant that defines the Agent on which the new user group is to reside. To create a user group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines which user group is to be created. |
Delete User Account |
This action deletes a user account from an Agent. |
Agent Select the event field or constant that defines the Agent on which the user account is to be deleted. To delete a user account at the domain level, specify a domain controller as the Agent. Account Name Select the event field or constant that names the account that is to be deleted. |
Delete User Group |
This action deletes a user group from a particular Agent. |
Agent Select the event field or constant that defines the Agent on which the user group to be deleted resides. To delete a user group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines the user group that is to be deleted. |
Detach USB Device |
This action detaches a USB mass storage device that is connected to an Agent. |
Agent Select the event field or constant that defines the Agent from which the USB device is to be detached. Device Select the event field or constant that defines the device ID of the USB device that is to be detached. |
Disable Domain |
This action disables a Domain User Account on a Domain Controller Agent. |
Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be disabled. Destination Account Select the event field or constant that defines the account that is to be disabled. |
Disable Local User Account |
This action disables a local user account on an Agent. |
Agent Select the event field or constant that defines the Agent on which the local user is to be disabled. Destination Account Select the event field or constant that defines the account that is to be disabled. |
Disable Networking |
This action disables an Agent’s network access. The result is that the specified Agent will be unable to connect to the network. |
Agent Select the event field or constant that defines the Agent that is to be disabled from the network. Message Type the message that is to appear on the Agent. |
Disable Windows |
This action disables a Windows machine account that resides on a Domain Controller Agent. |
Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the account is to be disabled. Destination Account Select the event field or constant that specifies which Windows account is to be disabled. |
Enable Domain User Account |
This action enables a Domain User Account on a Domain Controller Agent. |
Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be enabled. Destination Account Select the event field or constant that defines the account that is to be enabled. |
Enable Local |
This action enables a local user account on an Agent.
|
Agent Select the event field or constant that defines the Agent on which the local user is to be enabled. Destination Account Select the event field or constant that defines the account that is to be enabled. |
Enable Windows |
This action enables a Windows machine account that resides on a Domain Controller Agent. |
Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the account is to be enabled. Destination Account Select the event field or constant that specifies which Windows account is to be enabled. |
Incident Event |
This action escalates potential issues by creating an Incident Event. |
Event Select which Incident Event the rule is to create. Event Fields From the list pane, select the events and constants that define the appropriate data elements for each event fields The fields vary, depending on which Incident Event is selected. |
Infer Event |
This action escalates potentially irregular audit traffic into security events by creating (or inferring) a new event with a higher severity. |
Event Select which Event the rule is to infer. Event Fields From the list pane, select the events and constants that define the appropriate data elements for each event field. The fields vary, depending on the which event is selected. |
Kill Process by ID |
This action terminates the specified process on an Agent by using its process ID value. |
Agent Select the event field or constant that defines the Agent on which the process is to be terminated. Process ID Select the event field or constant that identifies the ID number of the process that is to be terminated. |
Kill Process by Name |
This action terminates the specified process on an Agent by referring to the process name. |
Agent Select the event field or constant that defines the Agent on which the process is to be terminated. Process Name Select the event field or constant that identifies the name of the process that is to be terminated. Account Name Select the event field or constant that identifies the name of the account that is running the process to be terminated. |
Log Off User |
This action logs the user off of an Agent. |
Agent Select the event field or constant that defines the Agent from which the user is to be logged off. Account Name Select the event field or constant that identifies the specific account name that is to be logged off. |
Modify State Variable |
This action modifies a state variable. |
State Variable From the State Variables list, drag the state variable that the rule is to modify. State Variable Fields From the appropriate component list, type or drag the data element that is to be modified in the state variable. The fields vary, depending on the which state variable is selected. |
Remove Domain User From Group | This action removes a domain user from a specified user group that resides on a particular Agent. |
Domain Controller Agent Select the event field or constant that defines the domain controller Agent on which the group to be modified resides. Group Name Select the event field or constant that defines the group that is to be modified. User Name Select the event field or constant that defines the user who is to be removed from the group. |
Remove Local User From Group | This action removes a local user from a specified user group that resides on a particular Agent. |
Agent Select the event field or constant that defines the Agent on which the group to be modified resides. Group Name Select the event field or constant that defines the group that is to be modified. User Name Select the event field or constant that defines the user who is to be removed from the group. |
Remove User-Defined Group Element |
This action removes a data element from a particular user-defined group. |
User-Defined Group From the User-Defined Groups list, select the user-defined group from which the specified data element is to be removed. Value Select the event field or constant that defines the data element that is to be removed from the specified user-defined group. The fields will vary according to which user-defined group you select. |
Reset User Account Password |
This action resets a user account password on a particular Agent. |
Agent Select the event field or constant that identifies the Agent on which the user password is to be reset. To reset an account at the domain level, specify a domain controller as the Agent. Account Name Select the event field or constant that identifies the user account that is to be reset. New Password Select the event field or constant that defines the user’s new password. |
Restart Machine |
This action reboots an Agent. |
Agent Select the event field or constant that identifies the Agent that is to be rebooted. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before rebooting the Agent. |
Restart Windows Service |
This action restarts the specified Windows service on an Agent. |
Agent Select the event field or constant that identifies the Agent on which the Windows service will be restarted. Service Name Select the event field or constant that identifies the name of the service that is to be restarted. |
Send Email Message |
This action sends a preconfigured email message to a predetermined email distribution list. |
Email Template Select the template that the email message is to use. Recipients Click the check boxes to select which users are to receive the email message. Email Fields Either drag a field from the components list, or select a constant from the components list to select the appropriate data elements that are to appear in each email template field. The fields vary, depending on which email template is selected. |
Send Popup Message |
This action displays a pop-up message to an Agent. |
Agent Select the event field or constant that identifies the Agent that is to receive the pop-up message. Account Name Select the event field or constant that identifies the user account to receive the message. Message Select the event field or constant that defines the message that is to appear on the Agent’s monitor. |
Shutdown Machine |
This action shuts down an Agent. |
Agent Select the event field or constant that identifies the Agent that is to be shut down. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before shutting down the Agent. |
Start Windows Service |
This action starts the specified Windows service on an Agent. |
Agent Select the event field or constant that identifies the Agent on which the Windows service is to be started. Service Name Select the event field or constant that defines the Windows service that is to be started. |
Stop Windows Service |
This action stops the specified Windows service on an Agent. |
Agent Select the event field or constant that identifies the Agent on which the Windows service is to be stopped. Service Name Select the event field or constant that defines the Windows service that is to be stopped. |