Revision B Product Guide - Knowledge Center · It includes built-in data collectors, triggers, and reactions to get started right away. Incident responders can ... McAfee Active Response

Product GuideRevision B

McAfee Active Response 2.0.0For use with McAfee ePolicy Orchestrator

COPYRIGHT

Copyright © 2017 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Active Response 2.0.0 Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Product overview 7What is Active Response? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Installation 11Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Install the McAfee ePO extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configure McAfee ePO proxy server settings (optional) . . . . . . . . . . . . . . . . . . . . . 13Configure the McAfee ePO Cloud Bridge server settings . . . . . . . . . . . . . . . . . . . . 13Install the Threat Intelligence Exchange server . . . . . . . . . . . . . . . . . . . . . . . . 14Install the Active Response server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configure the DXL broker extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Install aggregators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Manage Active Response clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Install clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Uninstall clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Viewing Active Response status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17View health status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Install content packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Upgrade 19Upgrade the Active Response server . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Upgrade the McAfee ePO extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Upgrade clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 Configuration 21Network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Active Response Service configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Create an Active Response policy . . . . . . . . . . . . . . . . . . . . . . . . . 23Access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 Using Active Response 25Using the Threat Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Threat Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Investigate and remediate a threat . . . . . . . . . . . . . . . . . . . . . . . . . 27View threat remediation history . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Searching endpoint data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

McAfee Active Response 2.0.0 Product Guide 3

Use the search box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Save a search expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Use a saved search expression . . . . . . . . . . . . . . . . . . . . . . . . . . 31Search syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Collecting endpoint data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Built-in collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Custom collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Reacting to incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Built-in reactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Create a custom reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Apply a reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Catching threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Create a trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Trigger types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Adding custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Content output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Content arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Backing up and sharing content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Index 67

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons used in thisguide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all of itsfeatures.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, or provide analternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation, network,business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including product documentation,technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Product overview

McAfee®

Active Response is a part of the Endpoint Threat Defense and Response solution. The solution providesunified security components that work together through an open, integrated approach with shared visibility,threat intelligence, and simplified work flows. Through early detection of suspicious activity or by detectingindicators of prior attacks, network administrators can use Active Response to quickly and effectively deal withsecurity breaches.

Contents What is Active Response? Key features How it works

What is Active Response?Active Response offers continuous visibility and powerful insights into endpoints so you can identify andremediate breaches faster.

By providing information about potentially malicious processes, Active Response reduces the resources neededto detect risks from unknown applications and processes running on endpoints. By integrating processreputation, Active Response allows you to act on shared threat intelligence with simplified workflows. You cantake quick corrective actions to remediate a threat, and adapt protection measures against future attacks.

Active Response brings together McAfee®

Threat Intelligence Exchange (TIE) and McAfee®

Data Exchange Layer(DXL). Together they provide global threat information with locally collected, customer-specific intelligence thatcan be shared, allowing multiple security solutions to operate as one.

Together Active Response, Threat Intelligence Exchange, and Data Exchange Layer narrow the gap fromencounter to containment for advanced targeted attacks from days, weeks, or months down to milliseconds.

Key featuresActive Response provides a single-click action to protect, respond, and adapt, reducing the need for multipletools and steps into one streamlined operation.

It includes built-in data collectors, triggers, and reactions to get started right away. Incident responders caneasily introduce custom content for specific use.

Active Response offers these key features.

Detect

Use Active Response to detect threats on compromised systems.

1


• Use the Threat Workspace to see active threats on endpoints, where they started, and how they movedthrough the environment, and see the threat time lines.

• Prioritize the high-risk threats based on behavior to focus your investigation on the most important threats.

• Search live and historical threat data to determine the full scope of an attack.

• Monitor your environment with customizable collectors that search for indicators of attack that are not onlyrunning or lying dormant, but that might have been deleted.

Respond

Use Active Response to stop threats when they are detected. You can take immediate action on affectedendpoints.

• Use triggers and reactions to detect threatening events and react immediately.

• Automate reactions based on triggers and act on multiple endpoints remotely at the same time.

• Take remediation actions from the Threat Workspace with a single-click. For example, you can stop arunning process on a single endpoint, or remove a threat and block it from recurring in the environment.

Adapt

Use Active Response to learn from and automate threat responses and provide live security protection withoutmanual intervention.

• Customize collectors and reactions for adapting threat investigation and detection flows.

• Adapt protection settings to automatically block persistent attacks.

• Learn what to include in security policies.

How it worksActive Response is composed of the service, a set of extensions, and endpoint clients.

The Active Response client, which runs on managed endpoints, includes a Trace module that scans andcaptures data about potential threats (processes) on the managed endpoints. This data is then sent to cloudstorage via the Data Exchange Layer. The Trace module is available on Microsoft Windows systems only.

The Active Response Threat Workspace, installed as an extension to McAfee ePO, retrieves the data stored inthe cloud and enables visualization of threats that are seen across the endpoints. In-depth investigation of athreat is performed in the Threat Workspace, with additional information retrieved on-demand from theendpoints by the Active Response server. You can remediate a threat from the Threat Workspace, and theremediation actions take effect immediately on the endpoints. You can also block future recurrences of a threatby changing the reputation of a process, which is updated in the Threat Intelligence Exchange server.

1 Product overviewHow it works


Overview

This diagram shows an overview of how Active Response works.

A. Active Response client

The Active Response client agent runs on endpoints. It enables:

• Continuous incident information collection

• Responses to information queries from the Active Response server

• Execution of remediation actions on specific threats

The incident information gathered from endpoints is aggregated and stored in the customer's cloud storage.Active Response supports both Windows and Linux endpoints. The Linux solution currently does not supportthe continuous incident-information gathering capability.

B. Data Exchange Layer

The DXL brokers and clients are the communication channel for Active Response operations. For details aboutusing DXL, see the Data Exchange Layer Product Guide.

C. DXL Cloud Bridge

The DXL component that connects your network to the Active Response Cloud Storage and Services.

D. McAfee® ePolicy Orchestrator® (McAfee® ePO™) and Active Response extensions

McAfee ePO is the management platform for all McAfee products. The managed products have their ownextensions. Active Response has two main extensions.

• Threat Workspace — Enables the visualization of incident information gathered from the endpoints.In-depth investigation of a threat is performed in the Threat Workspace, with additional informationretrieved on-demand from the endpoints by the Active Response server. You can remediate a threat fromthe Threat Workspace, and the remediation actions take effect immediately on the endpoints.

• Active Response search — Enables real-time searches over the endpoints. It also provides the ability to savesearches, create custom collectors, and define triggers and reactions.

Product overviewHow it works 1


E. Cloud Storage and Services

The incident information from the endpoints is stored in the cloud (up to 90 days of endpoint data).Aggregation of endpoint data in the cloud provides the overall health status of the enterprise. If endpoint datais not sent to the cloud, for example, if an endpoint is offline, the Threat Workspace displays past informationonly, if available in the cloud storage. If no incident information is available in the cloud for any of theendpoints, the Threat Workspace does not display threat information. Search features still retrieve real-timeinformation from endpoints that are reachable.

F. Active Response server

This is the central coordinator of the Active Response solution. It communicates with the Active Response clientrunning on managed endpoints to collect data and execute remediation actions.

G. Threat Intelligence Exchange servers

The reputation management system that provides reputation information and helps to investigate threats. Youcan override a reputation setting in the Threat Workspace, and that setting is sent to the TIE server and updatedthroughout your environment.

1 Product overviewHow it works


2 Installation

The installation includes several components and clients.

• McAfee ePO extensions

• McAfee ePO proxy and Cloud Bridge configuration

• Threat Intelligence Exchange server

• Data Exchange Layer brokers

• Active Response server

• Active Response aggregators

• Active Response clients on endpoints

• Active Response content packages

Contents Requirements Install the McAfee ePO extensions Configure McAfee ePO proxy server settings (optional) Configure the McAfee ePO Cloud Bridge server settings Install the Threat Intelligence Exchange server Install the Active Response server Configure the DXL broker extension Install aggregators Manage Active Response clients Viewing Active Response status Install content packages

RequirementsFor a successful installation, check that these minimum requirements are met before installing Active Responsecomponents.

Minimum requirements for the Active Response solution• McAfee ePolicy Orchestrator 5.3.1 or later

• McAfee® Endpoint Security 10.2 or later

• McAfee Endpoint Security Threat Intelligence 10.2 or McAfee Endpoint Security Adaptive Threat Protection10.5 or later (for use with McAfee Endpoint Security 10.5 or later)

If upgrading your environment from a previous version of Active Response or from Threat Intelligence Exchange2.0, these requirements are also needed:

2


• Data Exchange Layer 3.0.0. At least one DXL broker must be version 3.0.0 or greater.

• Threat Intelligence Exchange server 2.0.0

Minimum requirements for the Active Response server

The server can be installed on a physical server or a virtual machine.

• 1 CPU with 4 cores

• 8 GB RAM

• 140 GB solid-state disk

Supported web browsers for the user interface extension

• Internet Explorer 11 or later

• Microsoft Edge on Windows 10.0

• Chrome 53.0 or later

• Firefox 46.0 or later

• Safari 8.0 or later (on Macintosh operating systems only)

Minimum requirements for the Active Response endpoint client

• McAfee® Agent 5.0.3 or later for Windows and Linux endpoints

• Data Exchange Layer 3.0.0 client

• Endpoint Security Threat Prevention 10.2 or later

• Endpoint Security Threat Intelligence module 10.2 (for Endpoint Security 10.2) or Endpoint Security AdaptiveThreat Protection module 10.5 or later (for Endpoint Security 10.5 or later)

If an endpoint does not currently have a version of Endpoint Security or McAfee VirusScan Enterprise, theappropriate version of the Endpoint Security modules are installed automatically with the Active Responseinstallation. If an endpoint currently has an unsupported version of Endpoint Security installed, follow theEndpoint Security documentation for steps about upgrading the modules on the endpoint to a supportedversion.

Supported operating systems for the Active Response endpoint client

Operating system Version Architecture Processor RAM Minimum Free HardDisk space

Windows 10 Enterprise,Anniversary Update

Base 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 8.0 Base 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 8.1 Enterprise Base, U1 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2012 Server Base, R2, U1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2008 R2 Enterprise SP1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2008 R2 Standard SP1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 7 Enterprise Up to SP1 32-bit and 64-bit 1.4 GHz or higher 2 GB 1 GB

Windows 7 Professional Up to SP1 32-bit and 64-bit 1.4 GHz or higher 2 GB 1 GB

Windows Server 2016 Base 64-bit 2 GHz or higher 3 GB 1 GB

2 InstallationRequirements


Operating system Version Architecture Processor RAM Minimum Free HardDisk space

CentOS * 6.5 32-bit 2 GHz or higher 2 GB 1 GB

RedHat * 6.5 32-bit 2 GHz or higher 2 GB 1 GB

* Does not support the Trace functionality or displaying data on the Threat Workspace.

Install the McAfee ePO extensionsThe extensions for Active Response, Threat Intelligence Exchange, and Data Exchange Layer are included in asingle bundle file.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Software Manager.

3 Locate the Active Response Extensions Bundle.

4 Click Check in.

5 Accept the License Agreement and click OK.

Configure McAfee ePO proxy server settings (optional)If your company uses proxy addresses, enter the IP address for the Active Response server in the McAfee ePOproxy settings.



2 Select Menu | Configuration | Server Settings | Proxy Settings.

3 Click Edit.

4 Enter the proxy information.

5 Click Save.

Configure the McAfee ePO Cloud Bridge server settingsMcAfee ePO Cloud Bridge is an extension that you install on your local McAfee ePO server, allowing you to linkyour on-premise McAfee ePO server to your McAfee ePO Cloud account.

InstallationInstall the McAfee ePO extensions 2




2 Select Menu | Configuration | Server Settings | McAfee ePO Cloud Bridge.

3 Click Edit.

4 Enter your McAfee ePO Cloud account credentials and accept the license. If you don't have an account,follow the link to create one.

5 Click Save.

Install the Threat Intelligence Exchange serverInstall and configure the Threat Intelligence Exchange server. TIE provides file and certificate reputationinformation and enables you to block or allow them from running in your environment based on theirreputation.

See the Threat Intelligence Exchange documentation for information about installing and configuring TIE.

Install the Active Response serverActive Response server is provided as an .iso image, packaging a McAfee

®

Linux Operating System (MLOS)instance.

Task1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Software Manager and download the Active Response server ISO file.

3 Start the system where the Active Response server will be installed, making sure that it boots from theActive Response server ISO image. MLOS and all necessary packages are installed automatically after thesystem starts.

4 When the installation finishes, restart the system. Make sure that it starts from the installed system, notfrom the .iso image.

5 Configure the Active Response server.

a Read the License Agreement and enter Y to accept its terms.

b Set a root password and confirm it.

c Create an operational account. You can use this account to connect through ssh to the system, and usesu to obtain root permissions.

d Select the main network interface for the system. This interface connects the Active Response server toMcAfee ePO and the Data Exchange Layer.

e Configure the network interface.

• Enter D for DHCP configuration.

• Enter M to manually set the network addresses.

2 InstallationInstall the Threat Intelligence Exchange server


f Set a host name and domain name for the system.

g (Optional) Enable IPv6 routing.

h Set the time server for the system.

i (Optional) Set proxy variables.

http_proxy and https_proxy definitions are comma-separated lists of host names or IP addresses.no_proxy definition is a comma-separated list of host names, domains, or IP addresses.

Proxy settings are for operating system administration only. Active Response does not use proxies tocommunicate with McAfee ePO or network endpoints.

j Configure McAfee Agent to set up the connection to McAfee ePO.

k Select which services must run on the system.

• DXL Broker — Installs a Data Exchange Layer broker. If your environment already has a least one DXLbroker version 3.0.0 or later, you can choose not to install a new instance of the broker.

• AR Server — Installs the Active Response server.

l Set the DXL broker communication port.

6 Log on to McAfee ePO as an administrator and verify that there is an Active Response server is listed in theSystem Tree.

Configure the DXL broker extensionBroker extensions are additional features that can be enabled on a Data Exchange Layer broker to add newfunctionality created by other managed products. Enable the Trace broker extension used by Active Response.

Active Response 2.0 requires at least one DXL broker version 3.0.0 or later. The Trace extension is not availableon previous broker versions.


1 Select Menu | Configuration | Server Settings | DXL Topology.

2 Click Edit.

3 Select a broker and next to Broker Extension, select Provides trace data to the cloud for MAR Workspace.

4 Click Save.

Install aggregatorsYou are not required to install an aggregator to use Active Response. However, aggregators reduce the amountof DXL bandwidth required, and increase the number of managed endpoints supported.

Install Active Response aggregators on DXL broker systems in your fabric. We recommend that you install anaggregator on each system in your fabric that runs only a DXL broker. The broker systems with aggregatorsmust not have a DXL client deployed on that system. Aggregators can't be installed on Active Response or TIEserver systems.

InstallationConfigure the DXL broker extension 2




2 Select Menu | Software | Software Manager and check in the Active Response Aggregator package.

3 Select Menu | Software | Product Deployment, then click New Deployment.

4 In the Package drop-down list, select the Active Response aggregator.

5 Click Select Systems and choose the DXL broker where to install the aggregator.

6 Select Run Immediately and click Save to start deployment.

You can also install the aggregator package from the Master Repository.

Manage Active Response clientsUse these tasks to manage the Active Response client on endpoints.

Install clientsActive Response clients are ready to function immediately after installation and configuration.

Before you beginMake sure your endpoints are running McAfee Agent 5.0.3 or later before installing and deployingActive Response clients.

All endpoint client packages were checked in with the Active Response bundle. Ensure that they arechecked in at the same branch as the Endpoint Security modules, Endpoint Security ThreatIntelligence, and the DXL client.

For details about product features, usage, and best practices, click ? or Help.

Task1 Log on to McAfee ePO as an administrator.

2 Deploy the Active Response clients. All necessary clients are installed.

During deployment on Windows systems, Active Response disables Microsoft Protection Servicemomentarily to complete the installation. Endpoint users might see a warning that this service has beendisabled. When the installation is complete, Microsoft Protection Service is restored and the warning can beignored.

a Select Menu | Software | Product Deployment, then click New Deployment.

b Select the Active Response client software package for Windows or Linux.

On Linux 64-bit systems, compatible 32-bit libraries must be installed on endpoints for Active Responseto work properly. See KB89991 for instructions.

2 InstallationManage Active Response clients


https://kc.mcafee.com/corporate/index?page=content&id=KB89991

c Click Select Systems to select which endpoints to manage with Active Response.

d Select Run Immediately and click Save to start deployment.

If an older version is already installed, the Active Response client is updated with the newer version. Also,if deploying on an older system that takes longer for a new deployment, create a client task and increasethe timeout setting to greater than 20 minutes (the default setting). This ensures the deployment doesnot time out before it completes.

After deploying the Active Response clients, make sure to configure the appropriate McAfee ePO policies.

Uninstall clientsRemove Active Response clients from endpoints.

This procedure does not remove Endpoint Security, Threat Intelligence Exchange server, or Data ExchangeLayer. For details about uninstalling software, see the McAfee ePolicy Orchestrator Installation Guide.



2 Select Menus | System | System Tree.

3 From the Systems tab, select the endpoints where you want to uninstall Active Response clients. Then selectActions | Agent | Run Client Task Now.

4 Start a new client task to uninstall Active Response clients.

a Under Product, select McAfee Agent.

b Under Task Type, select Product Deployment.

c Under Task Name, select Create New Task.

d In Target platforms, select Windows or Linux.

e In Products and components, select the Active Response client package.

If you have more than one version in your Master Repository, select the latest Active Response packageversion.

f In the Action drop-down list, select Remove.

5 Click Run Task Now.

Viewing Active Response statusYou can view the status of the Active Response server, the TIE server, and the DXL brokers. You can also see thestatus of Cloud Storage and service availability, and the Active Response deployments on managed endpoints.

View health statusThe Health Status page shows the status of Active Response and its components.

InstallationViewing Active Response status 2



• Select Menu | Systems | Active Response Health Status.

The Active Response Health Status page shows this information:

• Total endpoints — The total number of endpoints in the environment where Active Response is deployed,awaiting deployment, incompatible, or deployment failed.

• Active Response deployed — The number of endpoints currently running Active Response.

• Ready for Active Response deployment — An installation or deployment task is pending, but has not yet run.

• Incompatible with Active Response — There is an Active Response requirement on the endpoint that is notmet. For example, an unsupported version of Endpoint Security or McAfee Agent.

• Active Response deployment failed — An installation or deployment task ran but failed to complete.

• Active Response Server — Status of the Active Response server and link to its configuration page. If theserver is not available, click the link to troubleshoot the issue.

• DXL Brokers — Status of the DXL brokers and link to its configuration page. If a broker is not available, clickthe link to troubleshoot the issue.

• Threat Intelligence Exchange Servers — Status of the TIE servers and a link to its configuration page. If a serveris not available, click the link to the Health page to troubleshoot the issue.

• Cloud Storage and Services — Status of the Cloud Services required for Active Response.

Install content packagesInstall content packages to get new collectors and reactions, or new versions of existing built-in collectors andreactions.

New versions of collectors and reactions in the content package might turn some of your saved searches andtriggers unusable. This only happens if the update changes a built-in collector output field, or if the updatechanges built-in reaction arguments. Check the Active Response Content Package Release Notes for informationabout changes to collectors and reactions introduced by a content package.



2 Select Menu | Software | Software Manager and check in the Active Response content package.

Content packages have this naming convention: BaseActiveResponseContent‑MajorVersion.MinorVersion.PatchVersion‑BuildVersion.zip

If you have Auto Update enabled for deployments, after the package checks in to the Master Repository it isinstalled automatically. If you do not have Auto Update enabled, create an update deployment task.

2 InstallationInstall content packages


3 Upgrade

A complete upgrade installs a new Active Response server, extensions, and client packages.

To minimize down-time during the upgrade process, install components in this order:

• Active Response server: Active_Response_{version}.zip

• Active Response extensions: mar-extensions-{version}.zip

• DXL and Active Response clients on managed systems

Contents Upgrade the Active Response server Upgrade the McAfee ePO extensions Upgrade clients

Upgrade the Active Response serverManage Active Response server update packages in the McAfee ePO Software Manager.



2 Select Menu | Software | Software Manager and check in the Active Response Server package.

3 Deploy the update package.

a Select Menu | Software | Product Deployment, then click New Deployment.

b In the Package drop-down list, select the server update package.

c Click Select Systems to select the Active Response server in your network.

d Select Run Immediately and click Save to start deployment.

After the update package is installed, see Upgrade the McAfee ePO extensions to continue.

Upgrade the McAfee ePO extensionsUpgrade the Active Response extensions on McAfee ePO.

Before you beginActive Response server of the same or later version must be installed.

3




2 Locate the Active Response Extensions Bundle.

3 Click Check in.

4 Accept the License Agreement, then click OK.

After the extensions are installed, upgrade the Active Response client.

See also Upgrade clients on page 20

Upgrade clientsInstall a newer Active Response client version on managed systems to upgrade clients.

If an endpoint is using McAfee Agent 5.0.2 or earlier, you must upgrade that endpoint to McAfee Agent 5.0.3 orlater before installing and deploying Active Response clients.

You can upgrade Active Response clients while they are online. As soon as the new version is installed, clientsrespond to the Active Response server.

To complete the upgrade, follow the instructions in Install Clients.

3 UpgradeUpgrade clients


4 Configuration

Configure the Active Response extensions, service, and clients from McAfee ePO.

Contents Network ports Active Response Service configuration Client configuration Access management

Network portsActive Response uses these ports for network connectivity.

Make sure your network settings are not blocking access to the Active Response server and clients through theseports.

Table 4-1 Server ports

Port number Open to Incomingconnections

Outgoingconnections

443 Connect to extensions on the McAfee ePOserver.

Yes Yes

8883 Connect the DXL broker to the DXL client onthe McAfee ePO server.

Yes Yes

8081 Connect McAfee Agent to the McAfee ePOserver.

Yes Yes

22 Connect remotely through ssh to performmaintenance tasks.

Yes Yes

123 UDP Network Time Protocol Yes Yes

Table 4-2 Client ports

Port number Open to Incoming connections Outgoing connections

8081 Connect McAfee Agent to a McAfee ePOserver.

Yes Yes

8883 Connect the DXL client to a DXL broker. Yes Yes

4


Active Response Service configurationConfigure how the Active Response service works. Use the Active Response option in the McAfee ePO ServerSettings page.

Search execution time-to-liveActive Response search expressions execute collectors on managed endpoints. Because endpoints might comeonline or offline during the execution of a collector, Active Response can't know when all endpoints that couldanswer have already answered. This configuration tells Active Response to stop expecting search results after acertain time has passed.

AuthenticationThe Active Response service relies on McAfee ePO certificates to authenticate access, so that only ActiveResponse extensions can make service requests. This configuration is set up after the installation of the ActiveResponse service. If you change the certificates used by McAfee ePO, use this configuration option to reset thecertificates in the Active Response server.

Active Response Workspace configurationThese Workspace configuration settings control what you see on the Threat Workspace. The Process instancessetting controls the number of threat instances that display on the trace chart. The Events per instance settingcontrols the number of threat events that display on the trace chart.

Server and aggregator tagsAfter installation, the Active Response server and aggregator systems are automatically applied with these tags:

• MARSERVER — Identifies the Active Response server.

• MARAGG — Identifies an Active Response aggregator system.

• DXLBROKER — Identifies both the Active Response server and the aggregators.

You can review and edit the tags applied to your systems in the McAfee ePO System Tree.

Client configurationUse McAfee ePO policies to configure Active Response clients.Using policies, you can:

• Set the maximum number of results returned by search expressions.

• Enable endpoints to execute triggers.

• Enable Network Flow and File Hashing collectors and triggers.

• Enable the Trace plug-in on the endpoint. This is required to see threat activity in the Threat Workspace.

• Set database limits and maximum number of results returned by the Network Flow collector.

• Set database limits, maximum number of results returned, and files excluded by the File Hashing collector.

• Set database and data limits for the Trace collector.

• Enable system logging on managed endpoints.

Preset McAfee ePO policiesAfter installing Active Response, the following McAfee ePO policies are available in the Policy Catalog:

4 ConfigurationActive Response Service configuration


• McAfee Default — This is the policy enforced by default after installation. When this policy is enforced, NetworkFlow and Trace collectors are enabled. Triggers and File Hashing are disabled.

• Full Visibility — When this policy is enforced, NetworkFlow, File Hashing, and Trace collectors are enabled.Triggers are disabled.

• Full Monitoring — When this policy is enforced, all collectors and triggers are enabled.

Create an Active Response policyCreate an Active Response policy with custom settings.


1 Select Menu | Policy | Policy catalog.

2 From the Product list, select Active Response.

3 Select New Policy, or select an existing policy and select Duplicate.

4 Enter a name and a brief description for the new policy, then click OK.

5 Complete the fields on the Policy Catalog page for the options you want to apply to the policy.

After you create a policy, assign it to managed systems to configure the Active Response clients on thosesystems. See the McAfee ePO documentation for information about assigning policies.

Access managementAfter installation, Active Response creates permission sets to manage access to its resources.

• Group Active Response Editor — allows access to all features and resources. Most importantly, this permissionset allows users to create, edit, and delete collectors, triggers, and reactions. Set this permission set forusers that need to:

• Create custom content.

• Set triggers to automatically catch events on endpoints and execute reactions.

• Back up or share custom content with other McAfee ePO instances.

• Group Active Response Responder — allows access to Active Response Search. It also allows users to see thecontent and configuration of collectors, triggers, and reactions, but not to edit or delete them. Set thispermission set for users that need to:

• Actively monitor endpoints for indicators of compromise.

• Quickly execute reactions from Active Response Search results.

• Group Active Response Responder Workspace Monitor — allows access to the Threat Workspace and ActiveResponse Search functions. It allows users to see threat behavior activity, and to execute searches toinvestigate a threat but not take remediation actions. Set this permission for users that need to:


• Inform incident responders who can remediate a possible threat.

ConfigurationAccess management 4


• Group Active Response Workspace Responder — allows full access to the Threat Workspace and Active ResponseSearch functions. It allows users to see threat behavior activity, execute searches to investigate a threat andtake immediate action through the Threat Workspace, or automate tasks on endpoints through triggers andreactions. Set this permission for users that need to:


• Take immediate action on endpoints using the Threat Workspace.

• Quickly execute reactions from search results.

• Create custom content.

• Set triggers to automatically catch events on endpoints and execute reactions.

• Back up or share custom content with other McAfee ePO instances.

You can also customize access management by creating your own permission sets.

Privacy information and Active Response

Active Response collects information from managed endpoints, such as user names, system names, and IPaddresses. It also includes process activity such as modified registry entries, files created, and establishednetwork connections. Access to this information is available in Active Response pages in McAfee ePO. Makesure that access to these pages is authorized and appropriately managed.

McAfee ePO restrictions to the System Tree through access management configuration do not prevent ActiveResponse users from receiving information from systems outside their authorized segment of the System Tree.Make sure that Active Response users are qualified and trained to appropriately handle private informationfrom your users’ systems.

McAfee also collects data that is not personally identifiable to further enhance threat intelligence, but cannotsearch the data or trace it back to a specific organization. For more information, review the License Agreement.

4 ConfigurationAccess management


5 Using Active Response

Use Active Response to search incidents, collect data, trigger reactions, and take action on threats in yourenvironment.

Contents Using the Threat Workspace Searching endpoint data Collecting endpoint data Reacting to incidents Catching threats Adding custom content Backing up and sharing content Error codes

Using the Threat WorkspaceThe Threat Workspace is where you can see all potential threats on managed endpoints and respond to them.

This is where you can detect and remediate threats in one place. Actions performed on threats are immediatelymade available to all managed endpoints in the environment.

Threat WorkspaceThere are several parts to the Threat Workspace where you can view and react to threats. The workflow movesfrom left to right.

Only Microsoft Windows systems information is included on the Threat Workspace. Dates displayed throughoutActive Response are based on the timezone setting in the user's browser.

5


Table 5-1 Parts of the Threat Workspace

Name Description

Total Threats When a process executes on a managed endpoint, its behavior is traced using the ActiveResponse client. Based on the detected behavior, the process is categorized and assigned aseverity level, but ultimately you decide whether it is a threat, and what to do about it. Theseverity levels are:• High Risk — The process appears to be a high risk of being a threat and must be investigated

and remediated immediately.

• Suspicious — The process appears suspicious and should be investigated and remediated.

• Monitored — The risk for the process cannot be determined. Active Response continues tomonitor the process and change its status based on behavior and further analysis.

PotentialThreats

The processes at a particular severity level, for example, Monitored, Suspicious, or High Risk.The threats displayed are based on the selected time frame.If a process in the list is unique to your environment and is not a threat, you can set it to KnownTrusted. Threats whose enterprise reputation is Known Malicious are not listed, they areblocked by the Endpoint Security protection products. However, a Known Trusted process canbe listed if it exhibits suspicious behavior.

• Age is the time that has passed since the threat was first seen.

• Prevalence is the number of hosts that the threat has impacted (in the present and past).

ThreatTimeline

The number of threat instances in the environment. This can be current or past instances,showing trends in the environment.

Affected Hosts A list of managed hosts impacted by a selected potential threat. The hosts displayed are basedon the time frame selected, and include only those for which you have access to.You can select one or more hosts and apply an action:

• Stop process — Stops the selected threat process currently running on the hosts.

• Stop and remove — Stops the selected threat process and deletes it from the hosts.

Trace Detailed trace information about a process for each endpoint that it ran on. You can see wherethe process started, registry modifications, network connections, and file creation events for theselected process. These events are represented by circular icons on the trace chart. A numberedbadge on the event icon indicates that there are multiple instances of the same event.• Clicking an event icon shows details about the event and enables you to perform an action for

the select host. For example, you can stop and remove a particular process from the host thatyou're investigating.

• You can expand the trace chart to full-screen view.

• The JSON details of the processes that are displayed in the trace chart can be saved into a file.

• A navigation bar along the top of the trace chart shows activity spikes, and enables you toselect the time frame to view in the trace chart.

Reputation The selected threat's reputation information from the TIE server. You can perform an action ona threat, and that action applies throughout the environment where ever the threat is present.

• Make Known Malicious — Changes the reputation of the selected process to Known Maliciousand updates the reputation information in the TIE database. The process is blocked andcleaned on systems that use TIE policies that block malicious files. The process continues todisplay on the threat workspace until the action is successfully completed on all affectedhosts.

• Make Known Trusted — Changes the reputation of the selected process to Known Trusted andupdates the reputation information in the TIE database.

Threat Details Detailed information about the file. Selecting More displays additional information about thethreat.

5 Using Active ResponseUsing the Threat Workspace


Investigate and remediate a threatYou can view the list of potential threats and easily see data about what the threat is, how long it has been inyour environment, and which host systems are affected. You can then remediate the threat without having toopen another window or product.

If an endpoint is offline, the most current endpoint data might not be available in the Threat Workspace. In thatcase, the Threat Workspace displays past information that is available in the cloud storage. Remediation actionsperformed on outdated threat information might not affect those endpoints that are offline, or the threats thatare no longer active.


1 Select Menu | Systems | Active Response Workspace.

2 Select the type of threats you want to see, for example High Risk, Suspicious or Monitored.

The Potential Threats list shows all threat processes of that type. A process can appear as a threat, butultimately you decide whether it is, and what to do about it.

To find a specific threat, select Total to see all threats and use the search box to filter. You can search for aprocess name, file hash, IP address, or registry key.

3 Select a threat from the Potential Threats list.

The information about that threat is displayed on the Threat Workspace.

• The Affected Hosts lists the detailed information about each host affected by the threat. These can behosts where the threat is running or has run in the past. This information comes from the ThreatIntelligence module or Endpoint Security Adaptive Threat Protection module on the endpoint.

• The Reputation and Threat Details shows detailed information about the file that generated the threat. ClickMore to see additional details.

• The Trace information shows details about where the threat started on a particular host, what otherprocesses it started, and how those processes moved through the hosts in your environment. You canchange what is visible on the Trace time line, for example, processes, files, registry keys, and networkconnections. Clicking an event on the time line displays its details in the Event Details pane.

Clicking a link in the Event Details pane opens a separate browser tab for advanced searching. Forexample, on a network event, you can search for more outgoing or incoming flow from that endpoint. Ona registry event, you can search for the same Registry key on other endpoints. Or search for the same filepath or file hash on other endpoints.

4 Select an action to perform on the selected threat process:

• To perform an action on one or more selected hosts — Select one or more hosts in the Affected Hostslist, then select Host Actions to either stop the process currently running and leave it on the host, or stopthe process and delete it from the host. If you stop a process and leave it on the host, you can restart itlater.

• To perform an action from the Trace time line — Select an event icon for the process you want tostop, then select Host Actions to either stop the process currently running and leave it on the selectedhost, or stop the process and delete it from the host.

• To perform a global action on all hosts — From the Reputation pane of the selected threat, change thethreat processes' reputation to Known Malicious or Known Trusted. The new reputation setting is updatedand saved in the Threat Intelligence Exchange database, and the process is either blocked or allowed torun on managed endpoints throughout your environment, depending on the TIE policy configurations.

When you perform an action on a process, a progress indicator appears next to the threat in the PotentialThreats list, showing that the action is in process. Go to the Remediation History page to see details aboutthe action.

Using Active ResponseUsing the Threat Workspace 5


View threat remediation historyWhen an action is taken on a threat process in the Threat Workspace, a remediation item is created. You canview the remediation actions that were taken on specific threats, regardless of who initiated them.


1 Click the Remediation History link at the top of the Threat Workspace. Or, select Menu | Reporting | RemediationHistory.

The Remediation History page shows the threat processes that have been remediated. The informationincludes the action taken, the number of host systems affected by the remediation, and other details aboutthe threat process.

2 Select an action to see its details.

• Selecting Make Known Malicious or Make Known Trusted shows the current Threat Intelligence Exchangereputation information for the file.

• Selecting Stop process or Stop and remove shows details about the threat, including where it was running,the McAfee Agent GUID, and event information.

3 Select Impacted Hosts to see a list of the host systems affected by a specific threat.

Tasks• Delete threat remediation history on page 28

Use a server task to delete threat remediation history information.

Delete threat remediation historyUse a server task to delete threat remediation history information.

Server tasks are configurable actions that run on McAfee ePO at scheduled time or intervals. You can create aserver task to delete remediation entries older than a specific date.


1 Select Menu | Automation | Server Tasks, then click New Task.

2 Give the task an appropriate name, and decide whether the task has a Schedule status. If you want the taskto run automatically at set intervals, click Enabled, then click Next.

3 From the Actions drop-down, click Purge Remediation History. Specify how old a remediation record must bebefore it's purged, then click Next.

4 Choose the schedule type (the frequency), start date, end date, and schedule time to run the task.

The Summary page appears.

5 Click Save to save the task.

The new task appears in the Server Tasks list.

5 Using Active ResponseUsing the Threat Workspace


Searching endpoint dataActive Response searches data on your managed endpoints in real time.

To avoid stressing the network, all searches time out automatically after a configurable amount of time. SeeService configuration for more information.

The search box understands simple syntax to combine collectors and build powerful search expressions andfilters. A search expression consists of two parts:

• A projection of at least one collector. The collector name specifies the data that Active Response returns.The projection lists the output fields that appear as columns in the Search results table. If no output fields arespecified, the default output fields are presented.

• A filter applied to the values in the output fields, optionally. Filters specify conditions to match in returneddata. Only data that matches the filter appear in the Search results table.

Simple search expressionGet all records returned by the Processes collector.

Processes

Search expression with projected fieldsGet the name, SHA1, and MD5 values for all records returned by the Processes collector.

Processes name,sha1,md5

Search expression with filtered valuesGet the name, SHA1, and MD5 values from the Processes collector, for processes files that have the".exe" extension.

Processes name, sha1, md5 where Processes name contains ".exe"

Search expression with multiple collectors in the projectionGet the name and path of process files that currently spawn more than five threads.

Processes name and Files dir where Processes threadCount greater than 5

System Tree restrictions to search results

When you run a search expression, not every endpoint on the DXL fabric replies with results. Results come onlyfrom those endpoints where your McAfee ePO administrator has granted access to you. For example, supposethat you have access to endpoints in China and don't have access to endpoints in Poland. When you run asearch expression, only endpoints in China reply with results.

These access restrictions are set on the System tree sections of the Permission Sets that apply to your McAfee ePOuser.

Use the search boxWrite search expressions to navigate results.

Using Active ResponseSearching endpoint data 5



1 Select Menu | Systems | Active Response Search.

2 In the Search box, enter a search expression.

See Search syntax for details about writing search expressions.

3 Click Search to start collecting data from managed endpoints.

If Search is disabled, check for errors in the search expression.

• Click Cancel to stop an ongoing search.

• Click Save search to store the search expression in the Searches tab of the Active Response Catalog.

Get the names and IDs of processes that execute 10 or more threads:

Processes name, id where Processes threadCount greater equal than 10

See also Search syntax on page 31CurrentFlow collector on page 34Files collector on page 36HostEntries collector on page 37HostInfo collector on page 37InstalledUpdates collector on page 39LocalGroups collector on page 39NetworkFlow collector on page 40Processes collector on page 42UserProfiles collector on page 45WinRegistry collector on page 46

Save a search expressionYou can save any number of expressions in the Searches tab of the Active Response Catalog.

For details about product features, usage, and best practices, click ? or Help.

Task1 Select Menu | Systems | Active Response Search.

2 In the Search box, type a search expression.

3 Click Save search.

4 Enter a name and description for the search expression. This information appears as details in the Searchestab of the Active Response Catalog.

5 Click OK.

See also Search syntax on page 31

5 Using Active ResponseSearching endpoint data


Use a saved search expressionQuickly start an Active Response search from a previously saved search expression.

Before you beginA search expression must be saved in the Active Response Catalog to complete this task.


1 Select Menu | Active Response Catalog | Searches.

2 Click the name of the search expression that you want to run.

To import, export or delete saved search expressions, use Actions in the Searches tab of the Active ResponseCatalog.

See also Search syntax on page 31

Search syntaxUse this detailed example to create powerful, real-time searches.

Get the names and IDs of processes that execute 10 or more threads.

Processes name, id where Processes threadCount greater equal than 10

Projection

The projection clause specifies which columns to show in the search results table. This example shows only twocolumns: process name and id.

Processes name, id

Term Name Description

Processes Collector name Specifies the search capabilities and output fields of the specific collector.In the example, the collector for running processes is selected.

name, id Collector outputfields

Selects an output field from the collector. In the projection, the output fieldrepresents a column in the result table.

Filter

The filter clause specifies conditions to match in the returned data. Only data that matches the filter appear inthe search results table. In this example, only processes that execute 10 or more threads match the filter.

where Processes threadCount greater equal than 10


where Filter keyword The keyword that starts a filter clause.

Processes Collector name Specifies the search capabilities and output fields of thespecific collector. In the example, the collector for runningprocesses is selected.

Using Active ResponseSearching endpoint data 5



threadCount Collector output field Specifies which data must be matched against the conditionoutput field from the collector.

greater equalthan

Comparison operator The operator that defines the condition to match. Differentoperators are available for different literal types.

10 Literal A literal value.

Logical operators

Operator Used in Usage Description

and Projections andfilters Projection:

Processes name and FilesdirFilter:where Processes namestarts with "abc" andProcesses threadCountequals 5

In a projection, and selects output fields fromdifferent collectors. In a filter, it displays aresult record if both the first condition andthe second condition are true.

or Filters where Processes namestarts with "abc" orProcesses name starts with"xyz"

Displays a result record if either the firstcondition or the second condition are true.

not Filters where Processes name notstarts with "abc"

Negates a comparison operator, so that thecondition returns true if the comparison isfalse, or returns false if the comparison istrue.

Comparison operators

Data type Operator Usage

Timestamp before where Files last_access before"2014-12-31"

after where Files last_access after"2014-12-31"

Number equals where Files size equals 1024greater than where Files size greater than

1024greater equalthan

where Files size greater equalthan 1024

less than where Files size less than 1024less equal than where Files size less equal than

1024String

All string comparisons are caseinsensitive.

equals where Files name equals "abc"contains where Files name contains "abc"starts with where Files name starts with

"abc"ends with where Files name ends with "abc"

5 Using Active ResponseSearching endpoint data


Data type Operator Usage

IP

Filtering by IPv4 omits IPv6 results and,likewise, filtering by IPv6 omits IPv4results.

equals where NetworkFlow src_ip equals10.250.45.15

contains where NetworkFlow src_ip contains10.250.0.0/24

Literals

When searching for a path, you must enter an additional \ character in directory paths, for example, Users\\Administrator\\Documents. When searching for a value that includes a double quotation mark, use the \character before the quotation, for example, Files where File name contains \".

Type Sample values

Timestamp "2014", "2014-12", "2014-12-31"Number 123, 123.45IP 10.250.45.15, 10.250.45.15/24, 2001:0DB8::1428:57ab,

2001:0DB8::1428:57ab/96String "aString123", "This is another string", "quotes\"in\"string"Win Registry String "My Computer\\HKEY_LOCAL_MACHINE\\HARDWARE\\VIDEO", "0x00000001"

• Look at the Health Status page before and after installing to view any endpoint incompatibilities ordeployment errors.

• Make sure your Windows endpoints are running McAfee Agent 5.0.3 or later.

• Make sure your Linux endpoints are running McAfee Agent 5.0.3 or later and Endpoint Security 10.2.2.

• Make sure your macOS High Sierra endpoints are running McAfee Agent 5.0.6.347.

Collecting endpoint dataActive Response collects real-time data from managed endpoints. Active Response collectors are componentsthat run on managed endpoints, executed by search expressions.

Collectors specify what data to collect from managed endpoints, and how to report it back to Active Response.There are two main types of collectors.

• Built-in — Active Response provides these collectors by default, available after installation.

• Custom — You create these collectors to gather specific data.

Collector summary

A name and description identify each collector. Give meaningful names and descriptions to collectors, based onthe domain of the collected data, to easily find them in the Active Response Catalog.

Collector content

A collector's content specifies the code that Active Response executes on a managed operating system to collectdata. See Custom content for information about content types and usage.

Using Active ResponseCollecting endpoint data 5


Collector output

The data returned by a collector is accessible through the collector's output fields. The output data fills thesearch results table after running a search expression. To create columns for the result table, a collector definesthree attributes:

• Name — Sets a column header.

• Type — Specifies a data type for the values in the column. See Literals section in Search syntax for a list ofavailable data types.

• Show by default — Sets the column to appear by default in the search results table.

Built-in collectorsActive Response provides several collectors, available out of the box after installation.

CommandLineHistory collectorReturns the command line history from managed Linux endpoints.

Collector output (Only on Linux)

Field Type Description

user String The user who runs the command.

ID Number The incremental execution sequence number (number 1 is the first commandexecuted).

CommandLine String The command executed.

The history of the command_line and the number depend on the previous configuration available on eachendpoint.

Show history of the usage of the service command

CommandLineHistory where CommandLineHistory command_line contains "service"

CurrentFlow collectorThe CurrentFlow collector gathers real-time data on the network flow from managed endpoints.

Collector output


local_ip IPv4 or IPv6 address IP address of the source of the packet. Supports CIDR block notation.

local_port Number Port number originating the packet.

remote_ip IPv4 or IPv6 address IP address of the destination of the packet. Supports CIDR block notation.

remote_port Number Port number receiving the packet.

status String The status of the TCP transaction (not available in UDP transactions).

process_id Number The originating process' ID.

user String The user that owns the originating process.

user_id String The user ID of the process owning the socket.

proto String The packet's protocol: TCP or UDP.

5 Using Active ResponseCollecting endpoint data



md5 String The MD5 hash code for the source process.

sha1 String The SHA1 hash code for the source process.

Show process image names for current flow originating on CIDR block 10.250.45.0/24 andtargeting endpoint 10.0.0.2.

CurrentFlow process_id where CurrentFlow local_ip contains 10.250.45.0/24 and CurrentFlow remote_ip equals 10.0.0.2

See also Use the search box on page 29

DNSCache collectorThe DNSCache collector shows DNS information on endpoint local cache.

Table 5-2 Collector output


hostname String The host name.

ipaddress String The IP address for the host.

Show DNS information for host "ping.alot.com"

DNSCache where DNSCache hostname equals "ping.alot.com"

EnvironmentVariables collectorThis collector returns information about system environment variables, current user, and volatile and processvariables.

Collector output


username String The owner of the process that is running on the environment where this variable is set.

process_id Number ID given by operating system to the process.

name String The variable's name.

value String Value set by variable.

Show the PATH environment variable set on endpoint 192.168.0.5

EnvironmentVariables where EnvironmentVariables name equals "PATH" and HostInfo ip_address equals 192.168.0.5



Files collectorThe Files collector gathers data about managed endpoints' file systems.



name String The file name.

dir String The directory path where the file lives.

When matching directories with the equals operator, a trailing path separator is needed.

Windows example: dir equals "C:\\Program Files\\"Linux example: dir equals "/bin/"macOS example: dir equals "/bin/"

full_name String The fully qualified file name, including its path.

size Number File size in bytes.

last_write Date The last time the operating system wrote the file.

md5 String The file's content, in MD5 format.

sha1 String The file's content, in SHA1 format.

created_at Date Time stamp when the file was created.

deleted_at Date Time stamp when the file was deleted.

status String Shows current for files that are currently on the file system, or deleted for files thatwere removed from the file system.

Show files in the C:\Windows\Boot\DVD\EVE\ path.

Files where Files dir equals "c:\\windows\\boot\\dvd\\efi\\"

File hashing

To provide information about file systems, Active Response must first complete the file hashing process torecord file system metadata in its databases.

Active Response hashes only non-removable file systems.

• On Windows, Active Response hashes only media that return DRIVE_FIXED after calling theGetDriveTypeA function.

• On Linux, Active Response hashing ignores all paths that return RM = 1, TYPE = part, MOUNTPOINT !="" after running the command lsblk -o RM,TYPE,MOUNTPOINT -r.

Restrictions

Some restrictions apply to what files are returned by the collector.

• Only endpoints where the user has System Tree permissions reply with results.

• Only files that are note excluded by ignore policies appear in search results.

• Depending on the database size limit set on file hashing policies, information about files deleted before thepast 30 days might not appear in search results.




HostEntries collectorThe HostEntries collector shows the IP addresses and host names from hosts file on Windows and Linuxendpoints.



ipaddress IP An IP address set in the hosts file.

hostname String The host name mapping for the IP address.

Find endpoints whose hosts file configures access to www.malware.com.

HostEntries where HostEntries hostname equals "www.malware.com"


HostInfo collectorThe HostInfo collector shows an endpoint's host name, physical IP address, and operating system version.



hostname String The endpoint's host name.

ip_address IP The endpoint's first physical IP address

os String The endpoint's operating system version.

Find all endpoints with Windows operating system.

HostInfo where HostInfo os contains "Windows"


InstalledCertificates collectorReturns information about installed certificates.

Collector output


issued_to String The subject field identifies the entity associated with the public key stored inthe subject public key field.

issued_by String Identifies the entity that has signed and issued the certificate.

expiration_date Timestamp

Indicates the expiration date of the certificate.

purposes String The key usage extension defines the purpose (for example, encipherment,signature, and certificate signing) of the key obtained in the certificate. Theusage restriction might be employed when a key that could be sent for morethan one operation is to be restricted.




purposes_extended String This extension indicates one or more purposes for which the certified publickey might be used, in addition to or in place of the basic purposes indicated inthe key usage extension. In general, this extension appears only in end entitycertificates.This field is optional. (Extended Key Usage on Linux and Enhanced Key Usage onWindows).

friendly_name String Displays a more friendly name of the certificate. (Only on Windows)

On Linux files and certificates are ca-bundle.crt and ca-bundle.trust.crl at /etc/pki/tls/certs and onWindows certificates must be registered in the drivers at Certs:. Otherwise, the certificates aren't displayed.

Show the installed certificates issued by Intel

where installed_certificates issued_by contains "Intel"

InstalledDrivers collectorThe InstalledDrivers collector shows details about drivers installed on managed endpoints.



displayname String The display name for the driver.

description String A description for the driver.

last_modified_date Timestamp A date-time value indicating when the driver was last modified.

name String A short name that uniquely identifies the driver.

servicetype String The type of service provided to calling processes.

startmode String The driver start-up mode.• Boot — the driver is started by the operating system loader.

• System — the driver is started by the operating system.

• Automatic — the driver starts automatically at system start-up.

• Manual — the driver starts by the service control manager.

• Disabled — the driver can no longer be started.

state String The current state of the driver.

path String The fully qualified path to the driver file.

Show drivers which are disabled on endpoints.

InstalledDrivers where InstalledDrivers state equals "disabled"



InstalledUpdates collectorThe InstalledUpdates collector gathers data about installed updates, hotfixes, and security updates on Windowsendpoints.Table 5-7 Collector output


description String The description for the update package.

hotfix_id String Microsoft knowledge base identifier for the update package.

install_date Timestamp The date when the package was installed.

installed_by String The user name that performed the installation, qualified by its namespace.

Show which hotfix packages where installed by bad_user.

InstalledUpdates where InstalledUpdates description equals "Hotfix" and InstalledUpdates installed_by contains "bad_user"


InteractiveSessions collectorThe InteractiveSessions collector gathers information about live interactive sessions on endpoint systems.Table 5-8 Collector output


userid String The username that is logged into the session.

name String The user's full name.

This field is not reported for non-local users.

Show interactive sessions for user 'owilde'

InteractiveSessions where InteractiveSessions userid equals "owilde"

On Windows endpoints, information of past sessions may appear in the results if they belonged toaccounts from different domains that have the same userid as the currently active one.

LocalGroups collectorThe LocalGroups collector gathers data on local system groups. Access Directory groups are not returned.Table 5-9 Collector output


groupname String The name of the group.

groupdomain String The domain name of the local group.

groupdescription String The description of the local group.

islocal String Confirms that the group is stored locally on the endpoint.

sid String The security identifier for the group.

Show local groups under the "corp.sensitive" domain.

LocalGroups where LocalGroups groupdomain contains "corp.sensitive"




LoggedInUsers collectorThe LoggedInUsers collector gathers data about users logged into managed systems.



id String The user ID set by the operating system.

userdomain String The domain to which the user belongs.

username String The log-in username.

Show users logged under the "RISK" domain

LoggedInUsers where LoggedInUsers userdomain equals "RISK"

NetworkFlow collectorThe NetworkFlow collector gathers historical data on network usage from managed endpoints.



src_ip IPv4 or IPv6address

IP address of the source of the packet. Supports CIDR block notation.

src_port Number Port number originating the packet.

dst_ip IPv4 or IPv6address

IP address of the destination of the packet. Supports CIDR block notation.

dst_port Number Port number receiving the packet.

time Date Date and time when the packet was collected.

status String The status of the TCP transaction (not available in UDP transactions).

The TCP status must be interpreted as follows:

• On a TCP connection open operation, the CONNECTED value meansthat the source endpoint sent a SYN message and received anACK,SYN message from the remote server.

• On a TCP connection close operation, the CLOSED value means thatthe source endpoint sent a SYN message and received an ACK,FINmessage from the destination server.

• The final ACK message is ignored on both open and closeoperations.

process String The originating process' image name.


user String The user that owns the originating process.



flags String One of TCP flags ACK, SYN, RST, FIN.



Table 5-11 Collector output (continued)


direction String Specifies whether the packet came in to the managed endpoint, or was sentout of the endpoint.

ip_class Number Specifies the IP class used for the transaction:• IPv4 returns 0• IPv6 returns 1• Unknown returns 2

seq_number Number TCP transaction sequence number (not available in UDP transactions).

src_mac String MAC address of originating endpoint.

dst_mac String MAC address of destination endpoint (Linux only).



Show process IDs and image names for network flow originating on CIDR block10.250.45.0/24 and targeting endpoint 10.0.0.2.

NetworkFlow process, process_id where NetworkFlow src_ip contains 10.250.45.0/24 and NetworkFlow dst_ip equals 10.0.0.2


NetworkInterfaces collectorThe NetworkInterfaces collector lists network interfaces on managed endpoints.



bssid String The BSSID to which the interface is connected.

displayname String The interface's short name on the operating system.

gwipaddress IP The IP address of the gateway to which the interface is connected.

gwmacaddress String The MAC address of the gateway to which the interface is connected.

ipaddress IP The interface's IP address.

ipprefix Number The IP prefix for the interface's IP address.

macaddress String The interface's MAC address.

name String The interfaces name.

ssid String The SSID to which the interface is connected.

type String The interface's type.

wifisecurity String The WiFi security algorithm used by the interface on the current connection.



NetworkSessions collectorGets information of currently open network sessions on the endpoint.

Collector output


computer String IP or hostname of remote endpoint.

user String User logged on to host through the network session.

client String Remote session command provider. (Only on Windows.)

file String Path of local resource being accessed by client. (Only on Windows.)

idletime String Time since last session activity. (Only on Windows.)

Show which shared resources are being accessed by username "owilde"

NetworkSessions where NetworkSessions user equals "owilde"

NetworkShares collectorFinds network shared paths accessible from each managed endpoint.

Collector output


name String Name of shared resource.

description String Description of shared resource set either by the user or by default.

path String Local path to the resource.

When Samba service is started, only resources configured at /etc/samba/smb.conf are returned by thecollector. It obtains information of the Network File System (NFS) from file /etc/samba/smb.conf.

Show which paths on endpoint "owilde-office" are being shared

NetworkShares path where HostEntries hostname equals "owilde-office"

Processes collectorThe Processes collector gathers data on processes running on managed endpoints.



name String The name of the running process.

id Number The process' system identifier.

threadCount Number The number of active threads spawned by the process.

parentId Number The system identifier for the process that spawned the current process.

parentname String The name of the process that spawned the current process.

size Number The amount of resident RAM used by the process.

md5 String The MD5 hash code for the process.

sha1 String The SHA1 hash code for the process.



Table 5-13 Collector output (continued)


cmdline String The command that started the process.

imagepath String Path to the process' image name.

kerneltime Number The process' use of kernel mode CPU time, in seconds.

usertime Number The process' use of user mode CPU time, in seconds.

uptime Number The number of seconds passed since the process started.

user String The user name that started the process.

user_id String The ID for the user that started the process.

Show processes' names and RAM size for processes that use more than 10 MB of residentRAM.

Processes name, size where Processes size greater than 10240


ScheduledTasks collectorShows the status of scheduled tasks on Windows and Linux endpoints, and also when it is scheduled to runnext.

Collector output


folder String The path from where the scheduled task runs.(Empty in Linux)

taskname String Name of task.

nextruntime Date Time and date when the task will run.

status String Current task status can be ready, disabled, setting, running, or could not start.

task_run String Full command line to execute tasks.

last_run Date Last time the task ran successfully.

username String Name of the user that executed the task.

schedule_on String See Trigger field documentation.

log_on_type String Security logon method required to run tasks. See Log on Type documentation. (Only forWindows)

Show when will the task called 'backupDaily' run next

ScheduledTasks taskname, nextruntime where ScheduledTasks taskname equals "backupDaily"



https://msdn.microsoft.com/en-us/library/windows/desktop/aa383915(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa382075(v=vs.85).aspx

Services collectorThe Services collector lists services installed on managed endpoints.



description String A description of the service's functionality.

name String A short name that uniquely identifies the service.

startuptype String The start-up mode.• Boot — specifies a device driver started by the operating system loader.

• System — specifies a device driver started by the operating system.

• Automatic — specifies a service that starts automatically at system start-up.

• Manual — specifies a service started by the service control manager.

• Disabled — specifies a service that can no longer be started.

status String The current status of the service.

user String The user that owns the service's process.

Show services that are currently running and are set to start manually by users.

Services where Services status equals "Running" and Services startuptype equals "Manually"

Software collectorThe Software collector lists software installed on managed endpoints.



displayname String Commonly used software name.

installdate Timestamp A date-time value indicating when the object was installed.

publisher String The name of the software's supplier.

version String Software version information.

Show installed software provided by 'Bad Co.' publisher

Software where Software publisher equals "Bad Co."

Startup collectorThe Startup collector shows information about start-up applications on managed endpoints.



caption String The short name set by the application.

command String The command line that starts the application.

description String The description set by the application.

name String The application's file name.

user String The user name for whom this start-up command will run.



Show applications that start up automatically for user 'owilde'

Startup where Startup user equals "owilde"

UsbConnectedStorageDevices collectorFind which users have used USB mass storage devices on managed endpoints. This collector gets details on lastusage and device details.

Collector output


vendor_id String Device's vendor ID.

product_id String Device's product ID.

serial_number String Device's serial number.

device_type String Only "USB storage" type is supported.

guid String ID provided by operating system. (Only on Windows)

last_connection_time Date Last time the device was plugged. (Only on Windows)

user_name String User that mounted the device. If no user was logged in when device wasmounted, then the field will be empty. (Only on Windows)

last_time_used_by_user Date Last time the operating system touched the device.

Show all USB storage devices that were connected to computers with running Windows

UsbConnectedStorageDevices where HostInfo os contains "win"

UserProfiles collectorThe UserProfiles collector gathers data about local users on Windows endpoints.

Collector output


accountdisabled String True if the account is disabled. False otherwise.

This field is not returned for non-local users.

domain String The domain that holds the user.


fullname String The user's full name.


installdate Timestamp The creation date for the user's home folder (C:\Users\user‑name). The usermust log in at least once for this date to be returned.

localaccount String True if the user is stored locally on the endpoint. False otherwise.

lockedout String True if the user has been locked out from the endpoint. False otherwise.





accountname String The user's account name.

sid String The security identifier for the user.

passwordexpires String True if the password is configured to expire. False otherwise.


Find user accounts that have been locked out from endpoints.

UserProfiles where UserProfiles lockedout equals "true"


WinRegistry collectorThe WinRegistry collector gathers Windows registry data from endpoints.

Collector output


keypath Win Registry String A path to a registry key. The path does not include the key name.

Only equals and starts_with operators are valid for this output field.

keyvalue Win Registry String The key value name.

valuedata Win Registry String The data stored by the key value.

valuetype Win Registry String The data type of the registry data.

Show registry data related to Active Response installation on managed endpoints.

WinRegistry where WinRegistry keypath equals "hkey_local_machine\\software\\mcafee\\mar"

Strings in conditions and filters are case insensitive: "software" and "SOFTWARE" match the sameregistry entries.


Custom collectorsCustom collectors use the output of content execution to gather specific data from managed endpoints.

The collector parses content output as records of comma-separated values data. Then, it matches the fields inthe records to the output fields defined for the collector, in order of appearance.

If a collector's content executes the following lines:

echo "value1","value2"echo "value3","value4"

Active Response maps "value1" and "value3" to the first output field, and "value2" and "value4" to thesecond output field, like this:



Output field 1 Output field 2

value1 value2

value3 value4

See also Create a custom collector on page 47

Create a custom collectorSpecify what data to collect from endpoints with custom collectors.


1 Select Menu | Systems | Active Response Catalog.

2 Select the Collectors tab, then click New Collector.

3 Enter a name and description for the collector.

4 For either or both the Windows and Linux tabs, insert the collector's content.

a Use the Type drop-down list to select the appropriate content type.

b In the Content code editor, enter the commands or code that Active Response executes on managedendpoints.

Add content to both Windows and Linux tabs to run the collector on both Windows and Linux managedendpoints.

5 Click Add Output or + to add an output field.

6 Enter a name for the field.

7 From the Type drop-down list, select a type for the field's data.

8 Select Show by default to make the output field a default field in the Search results table.

9 Click Save to finish.

If Save is disabled, check for problems in the form fields.

See also Custom collectors on page 46Adding custom content on page 56Content output on page 57Content types on page 59

Reacting to incidentsActive Response acts on managed endpoints by executing reaction code.

Reaction summaryA reaction specifies an action to take on managed endpoints. A name and description identify the reaction. Givemeaningful names and descriptions to reactions based on what effect each reaction produces. This way you canfind reactions easily in the Active Response Catalog.

Using Active ResponseReacting to incidents 5


Reaction content

A reaction's content specifies the code that Active Response executes on managed endpoints. See Customcontent for information about content types and usage.

Reaction arguments

A reaction's content supports named arguments to pass values during execution.

These fields define an argument:

• Name -- Specifies the argument's handle

• Type -- Specifies a data type for the argument. See Literals section in Search syntax for a list of available datatypes.

Argument mappings

Reaction arguments are related to trigger and collector output fields.

When a trigger is set to run a reaction, the trigger output fields are passed as values to reaction arguments. So ifa trigger returns a filename as output, this filename can be passed as value in a reaction argument that expectsa filename.

Also, you can map arguments to collector output fields. After running a search expression, you can execute areaction on endpoints related to Search Results. If the reaction arguments are mapped to collector output fieldsused in the search expression, then Active Response knows which values to pass as arguments during reactionexecution.

System Tree restrictions when applying reactions

When you apply a reaction, not every endpoint on the DXL fabric is affected. Only those endpoints where yourMcAfee ePO administrator has granted access to you are affected by the reaction. For example, suppose thatyou have access to endpoints in China and don't have access to endpoints in Poland. When you execute areaction, only endpoints in China are affected.


Built-in reactionsActive Response provides several reactions, available out of the box after installation.

DeleteRegistryValue reactionDeletes a Windows Registry value in a specified registry key path.

This reaction can only delete key values that are not protected by other software.

Table 5-17 Arguments

Name Type Description

keypath Win Registry String The absolute path to a registry key. The path does not include the key valuename.

keyvalue Win Registry String The key value name to erase.

5 Using Active ResponseReacting to incidents


KillProcess reactionUse this reaction to kill processes on endpoints by passing the process' ID.



pid Number The process ID, set by the operating system.

KillProcessByHash reactionUse this reaction to kill processes that have a specific hash value on endpoints.

If the target endpoint is offline when this reaction is executed, the reaction is saved on the Active Responseserver and executes when the endpoint is back online. If a specific file cannot be deleted because a processblocks it, the file is deleted when the endpoint reboots.



MD5 String The process' MD5 value.

SHA1 String The process' SHA1 value.

RemoveFile reactionUse this reaction to delete files from endpoint filesystems.

If the target endpoint is offline when this reaction is executed, the reaction is saved on the Active Responseserver and executes when the endpoint is back online. If a specific file cannot be deleted because a processblocks it, the file is deleted when the endpoint reboots.



full_name String The fully qualified file name, including its path.

Create a custom reactionReactions execute custom content on managed endpoints.



2 Select the Reactions tab, then click New Reaction.

3 Enter a name and description for the reaction.

4 Enter the reaction's content.

a Use the Type drop-down list to select the appropriate content type.

b In the Content code editor, enter the commands or code that Active Response executes on managedendpoints.

Add content to both Windows and Linux tabs so that the reaction applies both to Windows and Linux managedendpoints.

Using Active ResponseReacting to incidents 5


5 Click Add Argument or + to add an argument.

a Enter a name for the argument.

An argument's name must match the name given in the reaction's content between {{ and }}.

b From the Type drop-down list, select a type for the argument values.

c Click Set Collector Mapping to map the reaction argument to specific collector output fields.



See also Content arguments on page 58

Apply a reactionFire reactions from the Search Results table.

Reactions applied on endpoints cannot be undone. Proceed with care.


1 Select Menu | Systems | Active Response Search, then run a search expression.

2 When results appear in the Search Results table, select the rows you want to target.

Remember that a single row might reference more than one managed endpoint, expressed in the countcolumn. In that case, the reaction is applied to all endpoints referenced by the row.

3 Click Actions | Apply Reaction.

4 Select a reaction from the drop-down list. If the reaction takes arguments, insert values for each argument.

Some arguments may be mapped to the collector output fields used in the search expression. The valuesreturned by such output fields will be passed to the mapped arguments.

5 Click Yes to confirm.

See also Built-in reactions on page 48

Catching threatsActive Response triggers track system activity to detect possible threats. They can be set to catch specific eventson managed endpoints and react immediately.

Based on Active Response data collection capabilities, triggers catch events in managed endpoints and firereactions.

5 Using Active ResponseCatching threats


Trigger summary and configuration

A name and description identify a trigger. Triggers can be enabled or disabled.

• Enabled triggers are set and active on managed endpoints, listening to events. Even if the endpoint goesoffline, the trigger is still enabled and operational.

• Disabled triggers are stored in the Triggers catalog for future use, but do not listen to events on managedendpoints.

Also, triggers select an Event Severity. This is the level of urgency that is reported in the McAfee ePO Threat EventLog when the trigger is fired.

Detection

A trigger's detection settings specify what fires the trigger. Triggers have a type. Each trigger type listens todifferent events and returns different output fields. For example, the Files trigger type listens to Created,Modified, and Deleted events on files. It returns the file's name, size, last_access, md5, and sha1.

Optionally, triggers can specify a condition that must be met for the trigger to be fired. For example, a Filestype trigger can be set to catch Modified events only in files with a specific name or size.

See Trigger types for detailes on each type of trigger.

Reaction

When a trigger fires, it can execute a reaction. The reaction is selected from the Reactions catalog.

If the reaction takes arguments, they can be matched to the trigger type's output fields. This matching meansthat when the trigger fires, its output passes as arguments to the reaction. For example, a reaction that deletesfiles can take the file name to delete as an argument. When the trigger catches an event in a file, it can pass thefile name to the reaction, and that particular file is deleted.

System Tree restrictions to setting triggers

When you enable a trigger, it is not set on every endpoint of the DXL fabric. Only those endpoints where yourMcAfee ePO administrator has granted access to you can set the trigger. For example, suppose that you haveaccess to endpoints in China and don't have access to endpoints in Poland. When you run a search expression,only endpoints in China reply with results.

Also, only users that have access to the same endpoints that you have can modify your triggers on thoseendpoints. In other words, users that don't have access to an endpoint where you have set a trigger can'tmodify your trigger.


Create a triggerTriggers are set on managed endpoints to catch and react to specific events.



2 Select the Triggers tab, then click New Trigger.

3 Enter a name and description for the trigger.

Using Active ResponseCatching threats 5


4 Set the status to Enabled if you want the trigger immediately set on managed endpoints. Else, set it toDisabled.

5 From the Trigger Type drop-down list, select a type for the trigger.

6 From the Event drop-down list, select the event to catch.

7 In the Condition text box, enter a condition to meet when catching events.

8 From the Reaction Name drop-down list, select a reaction.

Be careful that the reaction you select doesn't recreate the condition that sets the trigger off. An infinite loophappens if when your trigger sets off, it executes a reaction which in turn sets your trigger off again, and soon.

9 In the Arguments table, use the drop-down lists in the Trigger Output column to map output fields to reactionarguments.



See also Reacting to incidents on page 47

Trigger typesActive Response provides different trigger types to catch events on managed endpoints.

See also Reacting to incidents on page 47

Files triggerThe Files trigger listens to events on managed endpoints' file systems.

Events

Event Description

FileCreated A matching file is created on a target endpoint.

FileModified A matching file is changed on a target endpoint.

FileDeleted A matching file is deleted on a target endpoint.

Output fields


name String The file name.

dir String The directory path where the file lives.

When matching directories with the equals operator, a trailing path separator is needed.

Windows example: dir equals "C:\\Program Files\\"Linux example: dir equals "/bin/"macOS example: dir equals "/bin/"

full_name String The fully qualified file name, including path.

size Number File size in bytes.




last_write Date The last time the operating system wrote the file.

md5 String The file's content, in MD5 format.

sha1 String The file's content, in SHA1 format.

created_at Date Time stamp when the file was created.

deleted_at Date Time stamp when the file was deleted.

status String Shows current for files that are currently on the file system, or deleted for files thatwere removed from the file system.

Match *.exe files with SHA1 hash 97eb5a5b721e28f9696729d14ef9d4076c9b4e2ename ends with '.exe' and sha1 equals '97eb5a5b721e28f9696729d14ef9d4076c9b4e2e'

A trigger condition is like an Active Response search expression filter without the where keywordor the collector name.

File creation and hashing race condition

When a file is created on a managed endpoint, Active Response starts hashing the file and fires the FileCreatedevent. But if the file is large enough, the event might be caught before the hashing process finishes. In thissituation, an incomplete MD5 or SHA1 hash of the file is reported with the event.

Triggers set to catch files over FileCreated events based on an MD5 or SHA1 hash can fail under this racecondition: when a file large enough is created, Active Response reports an incomplete file hash. Because thetrigger condition is set to match the file hash, this trigger is not executed.

However, when the hashing process finishes, the complete file hash is created. Then, a FileModfied event iscaught, reporting the complete hash. To avoid this condition, you are encouraged to create two triggers: one forthe FileCreated event and another one for the FileModfied event. Set both triggers to match the complete file hash.

Network triggerThe Network trigger listens to events on network flow to or from managed endpoints.

Connection events

McAfee Active Response catches these events on Windows and Linux systems.

Event Description

ConnectionOpen A connection is opened.

ConnectionClose A connection is closed.

Connection output fields


src_ip IPv4 or IPv6address

IP address of the source of the packet. Supports CIDR block notation.


dst_ip IPv4 or IPv6address

IP address of the destination of the packet. Supports CIDR block notation.

dst_port Number Port number receiving the packet.




time Date Date and time when the packet was collected.

status String The status of the TCP transaction. (Not available in UDP transactions.)

The TCP status must be interpreted as follows:

• On a TCP connection open operation, the CONNECTED value meansthat the source endpoint sent a SYN message and received anACK,SYN message from the remote server.

• On a TCP connection close operation, the CLOSED value means thatthe source endpoint sent a SYN message and received an ACK,FINmessage from the destination server.

• The final ACK message is ignored on both open and closeoperations.

process String The originating process' image name.


user String The user who owns the originating process.



flags String One of TCP flags ACK, SYN, RST, FIN.

direction String Specifies whether the packet came in to the managed endpoint, or was sentout of the endpoint.

ip_class Number Specifies whether IPv4 (0) or IPv6 (1) was used for the transaction.

seq_number Number TCP transaction sequence number (not available in UDP transactions).

src_mac String MAC address of originating endpoint.

dst_mac String MAC address of destination endpoint (Linux only).



Match network flow originating on CIDR block 10.250.45.255/24 and targeting endpoint10.0.0.2 on port 22.

src_ip contains 10.250.45.255/24 and dst_ip equals 10.0.0.2 and dst_port 22


Port events

McAfee Active Response only catches these events on Windows managed endpoints.

Event Description

PortOpened (Windows only) A port is opened for listening.

PortClosed (Windows only) A port is closed.



Port output fields



user String The user who owns the originating process.





Match network flow originating on port 22 by the system administrator.

src_port equals 22 and user equals "NT AUTHORITY\\SYSTEM"

Processes triggerThe Processes trigger listens to events on running processes.

Events

Event Description

ProcessCreated A matching process is created on an endpoint.

ProcessTerminated A matching process is terminated on an endpoint.

Output fields


name String The name of the running process.

id Number The process' system identifier.

parentId Number The system identifier for the process that spawned the current process.

parentname String The name of the process that spawned the current process.

md5 String The MD5 hash code for the process.

sha1 String The SHA1 hash code for the process.

cmdline String The command that started the process.

imagepath String Path to the process' image name.

user String The user name that started the process.

user_id String The ID for the user that started the process.

Match processes started by user "blackhat" with the SHA1 hash:97eb5a5b721e28f9696729d14ef9d4076c9b4e2euser equals 'blackhat' and sha1 equals '97eb5a5b721e28f9696729d14ef9d4076c9b4e2e'




WinRegistry triggerThe WinRegistry trigger listens to changes on Windows Registry keys.

Events

Event Description

ValueCreatedOrModified Key value created or value data changed.

ValueDeleted Key value deleted or renamed.

Output fields


keypath Win Registry String Mandatory. A path to a registry key. The path does not include the key name. Ifthe value is not a valid registry path, the trigger can't be saved.

Only equals and starts_with operators are valid for this output field.

keyvalue Win Registry String The key value name.

valuedata Win Registry String The data stored by the key value.

All values must be expressed as REG_DWORD values.

valuetype Win Registry String The data type of the registry data.

Catch when the DisableAllTriggers key is set to 1 in the registry key path for Active Responseconfiguration.

keypath equals "hkey_local_machine\\software\\mcafee\\mar" and keyvalue "DisableAllTriggers" and valuedata equals "1"


Adding custom contentCustom content specifies code or scripts that Active Response clients execute on managed endpoints.

This content lives inside the custom collectors and reactions that you create:

• Content written for a collector prints Comma-Separated Value (CSV) records to standard output.

• Content written for a reaction can take values passed as arguments to the operations executed onendpoints.

Limitations

On Windows, commands that require access to STDIN or the desktop fail to execute because Active Responseruns on endpoints as a non-interactive service.

See also Create a custom collector on page 47Create a custom reaction on page 49

5 Using Active ResponseAdding custom content


Content outputDuring content execution, Active Response gathers from standard output all lines produced by custom content.

This means that your content must print to standard output only those lines to be parsed as comma-separatedvalue (CSV) records. Consider the following examples.

Content with incorrect dataThis simple content executes the PS command on a managed endpoint.

ps

This is a sample output for the command:

PID PPID PGID WINPID TTY UID STIME COMMAND 1440 18908 1440 11236 pty2 2831382 14:40:33 /usr/bin/sh19184 2128 19184 11640 pty3 2831382 17:16:00 /usr/bin/ps13708 1 19200 13708 ? 2831382 14:43:33 /usr/bin/dbus-launch16196 1440 1440 12284 pty2 2831382 14:43:33 /usr/bin/xinit 808 1 808 808 ? 2831382 14:43:33 /usr/bin/dbus-daemon

Because the command output's first line contains a header, the following CSV document isconstructed:

PID,PPID,PGID,WINPID,TTY,UID,STIME,COMMAND1440,18908,1440,11236,pty2,2831382,14:40:33,/usr/bin/sh19184,2128,19184,11640,pty3,2831382,17:16:00,/usr/bin/ps...

Active Response incorrectly interprets the first line in the CSV document as being valid data.

Removing incorrect data from outputContrast this example to Content with incorrect data. This content executes the ps command, butremoves the header line.

ps | tail -n +2

This is a sample output for the command:

1440 18908 1440 11236 pty2 2831382 14:40:33 /usr/bin/sh19184 2128 19184 11640 pty3 2831382 17:16:00 /usr/bin/ps13708 1 19200 13708 ? 2831382 14:43:33 /usr/bin/dbus-launch16196 1440 1440 12284 pty2 2831382 14:43:33 /usr/bin/xinit 808 1 808 808 ? 2831382 14:43:33 /usr/bin/dbus-daemon

Then, a CSV document with only valid data is constructed:

1440,18908,1440,11236,pty2,2831382,14:40:33,/usr/bin/sh19184,2128,19184,11640,pty3,2831382,17:16:00,/usr/bin/ps...

CSV value escaping

These characters must be escaped in content output to avoid problems when executing collectors andreactions:

' \ , [space]

Using Active ResponseAdding custom content 5


To escape one of these characters in content output, place them between double quotes (" and ").

To escape the double quotes character, use a slash. To escape the slash character, use another slash.

For example:

"escaped [space]""escaped ,""escaped ' ""escaped \"quotes\" ""escaped \\"

Value strings encoding

All values printed to standard output must be encoded as UTF-8 characters. Using any other encoding canproduce characters that break the execution of the collector, producing incorrect output values or no outputvalues at all.

When creating content for collectors, you have the option to encode content output to UTF-8 automatically. Ifyour search results contain broken character encodings, try encoding your custom collector content in UTF-8, orenabling the Convert collector output to UTF-8 encoding option from the collector details page.

Timestamp output fields

If your custom collector specifies an output field of type Timestamp, you must make sure that the time stamp isgenerated in full when the content is executed. A complete time stamp includes both date and time values.

Example Description2015-01-09 08:43:25 This time stamp is complete.2015-01-09 Incomplete: missing time value.2015-01 Incomplete: missing day and time values.08:43:25 Incomplete: missing date value.


Content argumentsDuring content execution, Active Response can pass values as arguments to be expanded in the content.

Arguments are specified in the content by placing the argument name between {{ and }}.

Content with argumentsIn this example content, two arguments are defined: {{dir_glob}} and {{file_glob}}.

for file in {{dir_glob}}/{{file_glob}}.exe; do rm $file; done

This content is suitable for a reaction that deletes all files in specific directories, with known filenames, ending with the .exe extension. When this content is executed on a managed endpoint,Active Response can expand the argument names with values passed by, for example, a trigger.

See also Create a custom reaction on page 49



Content typesActive Response supports several content types.


Operating system commandsThis content type executes a system command in a managed endpoint.

Only reference operating system commands and libraries from a trusted source in Active Response customcontent.

Linux system commandShow the endpoint's system time.

date +%T

Windows system commandShow the endpoint's system time.

time /t

Windows echo display rules

When executing Windows operating system commands, Active Response follows these display rules for theecho command.

• The first space after the command name is ignored.

• Trailing spaces in message are ignored.

• Functions and variables not enclosed between back quotes (`) are evaluated.

• To include special characters like < | >, enclose them in double quotes (") or back quotes. You can alsoprecede them with the ASCII escape character, or use the /X option of the SETDOS command.

• To display %, you can alternately use two % marks for each one to be displayed: %%

• To display trailing spaces, either enclose them in back quotes, or append a pair of back quotes behind them.

• The ASCII NUL character cannot be included.

• If stdout is the console, after displaying content on the current line, the cursor moves to the beginning ofthe next line.

• If stdout is a file, the CR LF sequence is appended to the content.

• To display a blank line, use one of these forms:

echo `` (two consecutive back quotes)

echo. (special syntax for compatibility with CMD)




Bash scriptsThis content type executes a Bash script.


Show interactive users logged on endpoints.

#!/bin/bash## Copyright (C) 2015 McAfee, Inc. All Rights Reserved.#if [ `w | awk '{ if( NR>2 ) print $3, $1 }' | grep -E ^\: | wc -l` != 0 ]; then w | awk '{ if( NR>2 ) print $3, $1 }' | grep -E ^\: | awk '{ print $2 }';else echo "No interactive users found"fi


PowerShell scriptsThis content type executes a PowerShell script.


Return information about endpoint system information.

## Copyright (C) 2015 McAfee, Inc. All Rights Reserved.## Summary : This script lists endpoint system information#$PhysicalMemory = (get-wmiObject -class win32_ComputerSystem).TotalPhysicalMemory$LocalTime = get-wmiObject -class win32_LocalTime$OperatingSystem = get-wmiObject -class win32_OperatingSystem$Processor = get-wmiObject -class win32_Processor$TimeAndDate = get-date

$o = new-object PSObject$o | add-member NoteProperty PhysicalMemory $PhysicalMemory$o | add-member NoteProperty LocalTime $LocalTime$o | add-member NoteProperty OperatingSystem $OperatingSystem$o | add-member NoteProperty Processor $Processor$o | add-member NoteProperty TimeAndDate $TimeAndDate

$p = $o | ConvertTo-CSV -NoTypeInformation | select -Skip 1

$p = $p.replace('\', '\\')$p

Visual Basic scriptsThis content type executes a Visual Basic script.




Return information about local users on Windows endpoints.

'' Copyright (C) 2015 McAfee, Inc. All Rights Reserved.'' Summary : This script will list all local user' information, to include group memberships.'Option Explicit

' ***********************************************' Declare all variables' ***********************************************

Dim strComputerDim varUseWmi, varRunWmiQuery, varWmiValueDim colGroupsDim objGroup, objUser

' ***********************************************' Call WMI to gather Windows' user account information.' ***********************************************

strComputer = "."

set varUseWmi = GetObject("winmgmts:\\.\root\cimv2")set varRunWmiQuery = varUseWmi.ExecQuery("Select * from Win32_UserAccount")

' ***********************************************' List all groups for each user, and put into an ' array.' ' Next, echo back all of the user info, to include' the group.' ***********************************************

For Each varWmiValue In varRunWmiQuerySet colGroups = GetObject("WinNT://" & strComputer)colGroups.Filter = Array("group") For Each objGroup In colGroups For Each objUser In objGroup.Members If objUser.name = varWmiValue.Name Then Wscript.Echo varWmiValue.Disabled & "," & varWmiValue.Domain & "," & varWmiValue.FullName & "," & varWmiValue.InstallDate & "," & varWmiValue.LocalAccount & "," & varWmiValue.Lockout & "," & varWmiValue.Name & "," & varWmiValue.SID & "," & varWmiValue.PasswordExpires & "," & objGroup.Name End If Next NextNext


Python 2.7 scriptsThis content type executes a Python 2.7 script.

Do not create Python custom content unless you are sure that the Python interpreter on endpoints is installed ina system-protected location!

Return information about routes.

## Copyright (C) 2015 McAfee, Inc. All Rights Reserved.#import subprocess



process = subprocess.Popen("route PRINT -4", stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)output, error = process.communicate()process = Falseimport remap_list = []

for x in output.split('\r'): if "Metric" in x: process = True continue if process: data = re.sub('\s+', ' ',x).strip().split(" ") if len(data)>=3: print( ",".join(data))


Backing up and sharing contentYou can export Active Response content to a file in JSON format. Use the exported file to restore content afterproduct upgrade or to share your collectors, triggers, and reactions with other Active Response installations.

To export and import content, look for Export, Export all, and Import in Active Response Catalog.

Error codesThese error codes appear in Active Response Search or in Active Response client logs. Use this table totroubleshoot a problem or as reference when contacting product support.

Table 5-21 Generic errors

Code Name Description Workaround

1 MAR_E_UNKNOWN Failed to execute a searchexpression, enable a trigger,or execute a reaction.

Check the custom collectorcontent, the reaction content,or the trigger condition.

2 MAR_E_UNDEFINED Failed to execute a searchexpression, enable a trigger,or execute a reaction.

Check the custom collectorcontent, the reaction content,or the trigger condition.

3 MAR_E_REQUEST_FAIL_TO_BE_PLACE Failed to access client plug-in.The Active Response clientmight be corrupted.

Redeploy Active Responseclient on endpoint.

4 MAR_E_INTERNAL_ERROR Failed during process boot.The Active Response clientmight be corrupted.

Redeploy Active Responseclient on endpoint.

6 MAR_E_MERGE_SIZE_MAX_REACHED The search expressionproduced too many results.

Add filters to reduce thenumber of results or removecollectors from the projection.See Search syntax for moreinformation.

5 Using Active ResponseBacking up and sharing content


Table 5-21 Generic errors (continued)


7 MAR_E_MISSING_ARGUMENT Failed to create McAfee ePOevents.

Check Active Response serverand client versions.The server version must beequal or higher that the clientone.

8 MAR_E_INVALID_ARGUMENT A McAfee ePO event failed tocreate proper arguments dueto an unsupported event ID.

Check Active Response serverand client versions.The server version must beequal or higher that the clientone.

9 MAR_E_REQUEST_TIMEOUT A collector took too long toreturn results.

Reduce the execution time ofyour custom collectors.

10 MAR_E_PLUGIN_SHUTTING_DOWN A plug-in is shutting down andhas not yet ended.

None

11 MAR_E_UNSUPPORTED_API An API from a differentversion is trying to run and isnot supported.

None

160 MAR_E_GENERIC_PLUGIN_IS_DISABLED A required Active Responseplug-in is disabled on theendpoint.

Enable the plug-in in the ActiveResponse policy enforced onthe endpoint.

Table 5-22 Runtime plug-in errors


257 MAR_E_RUNTIME_FAIL A collector or reaction failedduring the execution of itscontent.

Check the content of thecollector or reaction.

258 MAR_E_MISSING_CONTENT Failed to execute collector orreaction due to missing content.The collector or reaction mightbe empty.

Check content of collectoror reaction.

259 MAR_E_MISSING_SCRIPT_ENGINE A collector o reaction contentfailed to be executed due tomissing script engine.

Check that Python,VisualBasic, or Bashengines are available onthe endpoint.

260 MAR_E_MISSING_SCRIPT_DATA Failed to execute collector orreaction due to missing content.The content is empty or there isa problem in the ActiveResponse server.

Check the content ofcollector or reaction.

261 MAR_E_SCRIPT_ENGINE_UNSUPPORTED The Active Response clientdoesn't support the scriptengine that it tries to use.

Check that versions ofActive Response server andclients match.

262 MAR_E_FORMAT_ERROR Failed to parse collector output. Check the output values inthe collector content.Check the collector outputfield definitions.

263 MAR_E_MISSING_PYTHON_ENGINE Python interpreter can't befound.

Install Python on theendpoint.

Using Active ResponseError codes 5


Table 5-22 Runtime plug-in errors (continued)


264 MAR_E_SHELL_IS_NOT_TRUSTED The script interpreter doesn'tmatch a trusted interpreter.Active Response will not executeany script using it.

None

416 MAR_E_RUNTIME_PLUGIN_IS_DISABLED A required Active Responseplug-in is disabled on theendpoint.

Change the ActiveResponse policy enforcedon the endpoint to enablethe plug-in.

Table 5-23 NetworkFlow errors


513 MAR_E_NETWORK_MAX_REACHED The NetworkFlow collectorreturned too manyresults.

Add filters to reduce the numberof results. See Search syntax formore information.

672 MAR_E_NETWORK_PLUGIN_IS_DISABLED The NetworkFlow plug-in isdisabled on the endpoint.

Change the Active Responsepolicy enforced on the endpointto enable the plug-in.

Table 5-24 File hashing errors


769 MAR_E_FILE_HASHING_MAX_REACHED The Files collector returnedtoo many results.

Add filters to reduce thenumber of results. SeeSearch syntax for moreinformation.

770 MAR_E_FILE_HASHING_HASH_IN_PROGRESS Active Response is hashingthe file system on thisendpoint.

Wait for file hashing tocomplete and retry yoursearch.

771 MAR_E_FILE_HASHING_REMOVE_FILE_ERROR An error occurred whenMAR tried to delete a file.

None

928 MAR_E_FILE_HASHING_PLUGIN_IS_DISABLED The File Hashing plug-in isdisabled on the endpoint.

Change the Active Responsepolicy enforced on theendpoint to enable theplug-in.

Table 5-25 Processes errors


1025 MAR_E_AQUIRE_PROCESS The endpoint's operatingsystem is preventing ActiveResponse from collectingrunning processesinformation.

Retry your searchexpression.

1026 MAR_E_SYSTEM_INFO_INVALID_PARAMETERS The client detected invalidsystem informationparameters.

Verify that the correctparameters are used. Setthe logger level in Debug tocheck which parametersthe client is receiving andretry.

1027 MAR_E_CANNOT_KILL_PROCESS The client cannot kill thespecified process.

Verify that the processexists and its ID is enteredcorrectly.

1028 MAR_E_CANNOT_STOP_SERVICE The client failed to stop thespecified service.

Verify that the service existsand its ID is enteredcorrectly.

5 Using Active ResponseError codes


Table 5-25 Processes errors (continued)


1029 MAR_E_CANNOT_KILL_SERVICE_PROCESS The client failed to kill thespecified service.

Verify that the service existsand its ID is enteredcorrectly.

1030 MAR_E_CANNOT_SET_SERVICE_AS_MANUAL The client failed to setservice 'Startup Type' toManual. The process hasbeen killed, but the serviceis still automatic.

Retry if the process startsagain.

1031 MAR_E_CANNOT_KILL_TRUSTED_PROCESS The client does not killtrusted processes.

None

1184 MAR_E_SYSTEM_INFO_PLUGIN_IS_DISABLED McAfee ePO hasn't yetinitialized the policies onthe endpoint, so theProcesses plug-in isdisabled.

Wait for McAfee ePO toinitialize policies on theendpoint and try again.

Table 5-26 WinRegistry errors


1281 MAR_E_WIN_REGISTRY_MAX_REACHED The WinRegistrycollector returned toomany results.

Add filters to reduce thenumber of results. SeeSearch syntax for moreinformation.

1282 MAR_E_WIN_REGISTRY_INVALID_PARAMETERS A WinRegistry reactionreceived invalidparameters

The keypath/keyvaluespecified doesn't exist.Check that the correctkeypath/keyvalue isused.

1283 MAR_E_WIN_REGISTRY_ACCESS_DENIED A WinRegistry reactiondid not havepermission to executeits task.

None

1284 MAR_E_WIN_REGISTRY_UNDEFINED_ERROR A WinRegistry reactionreturned an unknownerror.

None

1285 MAR_E_WIN_REGISTRY_MISSING_ARGUMENT A WinRegistry reactiondid not receive all theparameters it wasexpecting.

This error is notgenerated in the ActiveResponse client. Checkthe service or extension.

1286 MAR_E_WIN_REGISTRY_CANNOT_FIND_USER A WinRegistry reactioncould not find thespecified user.

Check that the correctuser is specified.

1287 MAR_E_WIN_REGISTRY_INVALID_KEYPATH_OPERATOR A condition for thekeypath field used aninvalid operator.

The Keypath operatorsupports only the equalsor starts with operators.Change the condition touse one of theseoperators.

Using Active ResponseError codes 5


Table 5-26 WinRegistry errors (continued)


1288 MAR_E_WIN_REGISTRY_KEYPATH_IS_MANDATORY A condition wasexecuted withoutusing Keypath as afilter.

WinRegistry queriesmust apply a filterrelated to the Keypathcondition.

1440 MAR_E_WIN_REGISTRY_PLUGIN_IS_DISABLED The WinRegistry plug-inis disabled on theendpoint.

Change the ActiveResponse policyenforced on theendpoint to enable theplug-in.

5 Using Active ResponseError codes


Index

Aabout

Active Response 7about this guide 5access management, Active Response

editor role 23

responder role 23

actions taken on threats 28

Active Responseabout 8configure 21

Endpoint Threat Defense and Response solution 7installation status 17

installing 11

policy configuration 22

upgrade 19

Active Response componentsData Exchange Layer cloud bridge 8

affected hosts 25

aggregator tags, configuring 22

aggregators, installing 15

authentication, configuring 22

Bbuilt-in collectors 34–46

CurrentFlow collector 34

DNSCache collector 35

EnvironmentVariables collector 35

Files collector 36

HostEntries collector 37

HostInfo collector 37

InstalledDrivers collector 38

InstalledUpdates collector 39

InteractiveSessions collector 39

LocalGroups collector 39

LoggedInUsers collector 40

NetworkFlow collector 40

NetworkInterfaces collector 41

NetworkSessions collector 42

NetworkShares collector 42

Processes collector 42

ScheduledTasks collector 43

Services collector 44

built-in collectors 34–46 (continued)Software collector 44

Startup collector 44

UsbConnectedStorageDevices collector 45

UserProfiles collector 45

WinRegistry collector 46

Cclient, Active Response 22

cloud bridgecreating accounts 13

registering Active Response 13

storage and services 8collector arguments 58

collector output fields, See custom content, Active Response collectors 33

common core extensions, installing 13

configurationaccess management 23

client 22

network ports 21

services 22

content back-up, Active Response 62

conventions and icons used in this guide 5create an Active Response policy 23

custom collectors 46

creating 47

custom content, Active Response 58, 59

adding 56

Bash content type 60

collector output fields 57, 59

operating system command content type 59

PowerShell content type 60

Python 2.7 content type 61

Visual Basic content type 60

DData Exchange Layer

cloud bridge 8, 13

install the extension 13

DeleteRegistryValue reaction, See reactions DNSCache collector, See built-in collectors


documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

EEndpoint Security extensions

installation status 17

Endpoint Threat Defense and Response solution 7EnvironmentVariables collector, See built-in collectors

Ffeatures, Active Response 7File Hashing, enabling 22

Files collector, See built-in collectors files trigger, See triggers

Hhealth status information 17

HostInfo collector, See built-in collectors

Iimport and export content, Active Response 62

installation requirements, Active Response 11

installation, Active Response 11, 14

client deployment 16

common core extensions 13

content update 18

McAfee ePO Cloud Bridge 13

proxy server settings 13

requirements 11

status on servers and endpoints 17

TIE server 14

uninstall clients 17

InstalledDrivers collector, See built-in collectors InstalledUpdates collector, See built-in collectors InteractiveSessions collector, See built-in collectors

KKillProcess reaction , See reactions KillProcessByHash reaction, See reactions

LLocalGroups collector, See built-in collectors Log files, enabling 22

LoggedInUsers collector, See built-in collectors

MMcAfee ePO Cloud Bridge 13

McAfee ServicePortal, accessing 6

Nnetwork data collectors, See built-in collectors

network trigger, See triggers NetworkFlow collector, See built-in collectors NetworkInterfaces collector, See built-in collectors NetworkSessions collector, See built-in collectors NetworkShares collector, See built-in collectors

Ppermission sets, Active Response, See access management policy configuration 22

policy, creating 23

ports, Active Response 21

potential threats 25

processes collector, See built-in collectors processes trigger, See triggers proxy server settings 13

Rreactions 47–49

applying 50

creating 49

DeleteRegistryValue reaction 48

KillProcess reaction 49

KillProcessByHash reaction 49

RemoveFile reaction 49

remediation 27, 28

delete history 28

RemoveFile reaction , See reactions

Ssaved search expressions 31

ScheduledTasks collector, See built-in collectors search expressions 29

saving 30

syntax reference 31

using 29

server, Active Response 19, 22

ServicePortal, finding product documentation 6Services collector, See built-in collectors Software collector, See built-in collectors Startup collector, See built-in collectors

Ttechnical support, finding product information 6Threat Intelligence Exchange

install the extension 13

install the TIE server 14

server 8threat remediation 28

delete history 28

remediate a threat 27

threat time line 25

Threat Workspaceaffected hosts 25

configuring 22

Index


Threat Workspace (continued)investigate a threat 27

number of threats 25

parts of the page 25

threat time line 25

trace information 25

threatsinvestigating and getting details 27

remediate a threat 27

total threats 25

Trace 25

enabling 22

triggers 50, 52, 53, 55, 56

creating 51

files type 52

network type 53

triggers 50, 52, 53, 55, 56 (continued)processes type 55

winregistry type 56

Uupgrade, Active Response 19

client deployment 20

extensions 19

server 19

UsbConnectedStorageDevices collector, See built-in collectors UserProfiles collector, See built-in collectors

WWinRegistry collector, See built-in collectors winregistry trigger, See triggers

Index


0-B00