Procedure

1. Log in to the SMS from a client.
2. On the SMS toolbar, navigate to the Responder > Policies tab screen.
3. To create a new Active Response Policy, do one of the following:
   • In the Active Response Policies screen, click New.
   • In the Active Response Policies screen, right-click and select New.
   • From the SMS toolbar, select File > New > Policy.
4. The Create Active Response Policy setup wizard opens.
5. Select the Initiation and Timeout tab
   • Policy Name - enter the policy name if desired.
   • Initiation - specify the mechanism to use to initiate the policy.
   • Timeout - If you want to set the timeout option, select the Enable Automatic Timeout check box and enter a time in minutes. Setting this option automatically ends the continued application of Response Actions after the prescribed time limit, even if remediation has not occurred.
6. Click Next or select the Inclusions and Exclusion tab. On the Inclusions and Exclusions screen, specify the hosts/networks to Allow Active Response or Never Respond. Use the arrow buttons located at the end of each field to add an existing Named Resource or to create a new Named Resource.
7. Click Next or select the Correlation and Thresholding tab. For Correlation and Thresholding, enter settings for the following:
   • Automatic Response Configuration:
     • Qualified filter hits - number of hits to enact the policy.
     • Threshold period - period of time in seconds or minutes for the hit count threshold.
     • Quiet period - Quiet Period begins when automatic response action is initiated. A new Threshold Period won't begin until the Quiet Period is over.
   • Qualified Filter Hit Notifications:
     • Select Send Syslog Notification to send a message to the syslog. Enter a server and select a port and facility for the syslog.
     • Select Send SNMP Trap Notification to send a message to the SNMP trap. Enter a destination and select a port.
8. Click Next or select the Actions tab. The Actions screen lists the actions that are associated with the policy and the following information:
   • Priority - The order in which the actions are to be performed
   • Action - Name assigned to the action that you created.
   • Condition - Trigger for running the action. This option is set when a new action is added to the Response Policy and can be changed by editing a select action through this screen.
   • Dependency - What other action must take place for this action to be triggered.

Note: The SMS supports multiple action sets. You must set up a Profile action set with Quarantine defined before you set up an Active Response policy.

9. Click Add to add a new Response action, or select an existing action entry and click Edit. The Response Action screen displays.
10. Select an action to add from the drop-down menu. The available actions are those created in the Action screen for Active Response. When adding additional actions, you can create dependencies between the actions:
    • Select an action to add.
    • Select an option: success on or failure on.
    • Select the action to connect for dependency.

For example, the added action Email Admin (email type) could depend on the previously added action Switch Down (switch disconnect type). In this situation, when the switch goes down, the email action would send a message informing the network administrator.

11. Click OK to return to the setup wizard.
12. On the Actions screen, review the listed actions. If you want to change the priority of a selected action, use the up and down arrows to change the location of the selected action in the list.
13. Click Next or select the Inspection Destinations tab. In the Inspection Destinations screen, you can select which devices will receive the Response Policy.
    • To distribute to all IPS devices, select the All Devices check box.
    • To distribute to selected IPS devices, expand the All Devices entry and select one or more IPS devices.
14. Click Finish to save your settings.

Reference: SMS User Guide