Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I create and Implement Active Response Notification Actions on the SMS?

    • Updated:
    • 10 Jun 2020
    • Product/Version:
    • Platform:
Summary
Overview: The SMS Active Response system enables you to specify a notification action that is enacted when a response policy is triggered. These notifications are initiated by the SMS when enabled in a policy that is enabled in an action set. You can implement one or more of these notification actions in a policy.
  • Syslog: Sends an event to a Syslog server when the response policy is triggered.
  • Email: Sends an email to specified recipients when the policy is triggered.
  • Web: Sends a Web request. Performs an HTTP GET on a URL.
  • SNMP Trap: Enacts an SNMP Trap for the host traffic when the policy is triggered.
Note: These notification actions apply to Active Response policy notification as opposed to IPS Profiles notifications settings that specify how SMS notification of filter events is handled.
Details
Public

How To: Common Task

  1. Log in to the SMS from a client.
  2. On the SMS toolbar, navigate to the Responder > Actions tab screen.
  3. On the Response Actions section do one of the following:
    1. Click New.
    2. Right-click and select New.
    3. From the SMS toolbar select File > New > Action
  4. The Create New Response Action setup wizard displays.

How To: Create and Implement a Syslog Action

This action enables you to specify a Syslog server where Active Response will send events.

Note: Before you set up a Syslog action, a UDP Syslog agent must be running on the Syslog destination IP and port configured for this action.

  1. When the Active Response wizard opens, specify a name for the action and select Syslog from the Action Type drop-down menu.
  2. Click Next or select Syslog Settings from the wizard navigation tree.
  3. In the Syslog Settings window, specify the destination for the log message by completing the following information:
    1. IP Address of Server (UDP): IP address of the Syslog server.
    2. Port: Listening port on the Syslog server (0-65535). The default setting is 514.
    3. Facility: Choose the Syslog facility that applies.
  4. If you want to test this action, click Test.
  5. Click Next to review the Implementation instructions.
  6. Click Finish to complete your setup.

Note: To implement this action it must be added to an Active Response policy that is added to an action set enabled for SMS Response.


How To: Create and Implement an Email Action

Before you set up an Email action, the system SMTP server must be configured under the Admin > Server Properties > Network section of the SMS. The system Reply-To and From fields will be used if none are configured in this Email action.

  1. When the Active Response wizard opens, specify a name for the action, and select Email from the Action Type drop-down menu.
  2. Click Next or select Email Settings from the wizard navigation pane.
  3. Enter the following information:
    1. From: Enter the email address where the notifying email originates (generally an SMS-specific email alias).
    2. Reply To: Enter the email address where replies are to be sent.
    3. To: In this section, click the Add button and enter the email address or addresses where Syslog email notices will be sent. To enter multiple email addresses, separate entries with a comma.
  4. If you want to test the email settings, click Test.
  5. Click Next to read the Implementation instructions.
  6. Click Finish to complete your setup.

Note: To implement this action, it must be listed in the Actions section of one or more Active Response policies. Active Response email notifications include the Response Host ID in the title of the email. The Response ID present in the body of the email is the Response Event ID.


How To: Create and Implement a Web Action

Use this action to elicit a Web server response.

  1. When the Active Response wizard opens, specify a name for the action and select Web from the Action Type drop-down menu.
  2. Click Next or select Host Configuration from the wizard navigation pane and enter the following information to specify the destination for the HTTP/HTTPS message. If a server is not specified, then the URL must be fully specified (for example, http://xyzzy.com/page).
    1. Host Settings section
      1. IP Address of Server - IP address of the server running the HTTP/HTTPS service
      2. Port - TCP port on which the service is listening
      3. Protocol - the protocol used for communicating with the server
      4. URL - page to GET
    2. Host Authentication section
      1. For Host Authentication, select the Use Authentication checkbox.
      2. Select Authentication Type (Basic or Digest)
      3. Enter Username
      4. Enter Password
  3. Click Next or select Proxy Settings from the wizard navigation pane and provide the following information, if using a proxy service for the Web server:
    1. Proxy Host Settings section
      1. To use Proxy, select the Use Proxy Host checkbox.
      2. Enter the name or address of the Proxy Host.
      3. Enter Proxy Port number.
    2. Host Authentication section
      1. For Host Authentication, select the Use Authentication checkbox.
      2. Enter the Username to use for login authentication on the proxy host.
      3. Enter Password.
  4. If you want to test this action, click Test.
  5. Click Next to read the Implementation instructions.
  6. Click Finish to complete your setup.

Note: To implement this action, it must be listed in the Actions section of one or more Active Response policies and added to an action set that is enabled for SMS Response. An HTTP Server must be running on the HTTP destination IP and port configured for this action.


 

How To: Create and Implement an SNMP Trap Action

This action enables you to use SNMP trap notification for Active Response events.

  1. When the Active Response wizard opens, specify a name for the action and select SNMP Trap from the Action Type drop-down menu.
  2. Click Next or select Trap Destination from the wizard navigation tree.
  3. On the Trap Destination page enter the required information:
    1. Host: Specify the IP address of the host system
    2. Port: Specify Destination Port (any value from 1-65535) or accept the default port (162).
    3. Send trap on close: If you want the SMS to send a trap when the action is closed, select that option. Otherwise, deselect the Trap option.
    4. Test OID: Object identifier (OID) that defines this trap. Numeric format is required.
  4. Click Next or the SNMP Settings tab and enter the required information;
    1. SNMP Trap Settings:
      1. SNMP Version: Specify the version of the SNMP agent. Note: The Community/User-Based Security Model options will change availability depending on the selection of the SNMP version.
      2. Community-based Security Model: If using SNMPv2, specify the community string (e.g "public") to use when sending trap messages.
      3. User-based Security Model: If using SNMPv3, specify the user name and the authentication method and information required in your security model.
  5. Click Test to test the connection defined in this action.
  6. Click Next to read the Implementation instructions.
  7. Click Finish to complete your setup.

Note: To implement this action, it must be added to a Response policy that is enabled in an action set. An SNMP Trap receiving agent must be running on the destination port configured for this action when you implement the action.

Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000256167
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.