Procedure
- Log in to the SMS from a client.
- On the SMS toolbar, navigate to the Responder > Policies tab screen.
- To create a new Active Response Policy do one of the following:
- In the Active Response Policies screen, click New.
- In the Active Response Policies screen, right-click and select New.
- From the SMS toolbar select File > New > Policy.
- The Create Active Response Policy setup wizard opens.
- Select the Initiation and Timeout tab
- Policy Name - enter the policy name if desired.
- Initiation - specify the mechanism to use to initiate the policy.
- Timeout - If you want to set the timeout option, select the Enable Automatic Timeout check box and enter a time in minutes. Setting this option automatically ends the continued application of Response Actions after the prescribed time limit even if remediation has not occurred.
- Click Next or select the Inclusions and Exclusion stab. On the Inclusions and Exclusions screen, specify the hosts/networks to Allow Active Response or Never Respond. Use the arrow buttons located at the end of each field to add an existing Named Resource or to create a new Named Resource.
- Click Next or select the Correlation and Thresholding tab. For Correlation and Thresholding, enter settings for the following:
- Automatic Response Configuration:
- Qualified filter hits - number of hits to enact the policy.
- Threshold period - period of time in seconds or minutes for the hit count threshold.
- Quiet period - Quiet Period begins when automatic response action is initiated. A new Threshold Period won't begin until the Quiet Period is over.
- Qualified Filter Hit Notifications:
- Select Send Syslog Notification to send a message to the syslog. Enter a server and select a port and facility for the syslog.
- Select Send SNMP Trap Notification to send a message to the SNMP trap. Enter a destination and select a port.
- Automatic Response Configuration:
- Click Next or select the Actions tab. The Actions screen lists the actions that are associated with the policy and the following information:
- Priority - The order in which the actions are to be performed
- Action - Name assigned to the action that you created.
- Condition - Trigger for running the action. This option is set when a new action is added to the Response Policy and can be changed by editing a select action through this screen.
- Dependency - What other action must take place for this action to be triggered.
Note: The SMS supports multiple action sets. You must set up a Profile action set with Quarantine defined before you set up an Active Response policy.
- Click Add to add a new Response action or select an existing action entry and click Edit. The Response Action screen displays.
- Select an action to add from the drop-down menu. The available actions are those created in the Action screen for Active Response. When adding additional actions, you can create dependencies between the actions:
- Select an action to add.
- Select an option: success on or failure on.
- Select the action to connect for dependency.
For example, the added action called Email Admin (email type) could have a dependency on the previously added action of Switch Down (switch disconnect type). In this situation, when the switch goes down, the email action would send a message informing the network administrator.
- Click OK to return to the setup wizard.
- On the Actions screen, review the listed actions. If you want to change the priority of a selected action, use the up and down arrows to change the location of the selected action in the list.
- Click Next or select the Inspection Destinations tab. In the Inspection Destinations screen, you can select which devices will receive the Response Policy.
- To distribute to all IPS devices, select the All Devices check box.
- To distribute to selected IPS devices, expand the All Devices entry and select one or more IPS devices.
- Click Finish to save your settings.
Reference: SMS User Guide