McAfee HISCDE-AB-IA Product Guide - Page 26
Host IPS event responses, Tips on using automatic responses
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 26 highlights
Managing Your Protection System management Host IPS event responses Automatic responses can alert you to any events that occur on Host Intrusion Prevention client systems. You can configure responses when specific events are received and processed by the ePolicy Orchestrator server. Configured responses are: • Create issues • Execute scheduled tasks • Run external commands • Send SNMP traps • Send email You can specify the event properties specific to Host Intrusion Prevention that generate a response and the frequency that responses are sent. For complete details, see the ePolicy Orchestrator 4.5 documentation. Preparing to create Automatic Responses When creating Automatic Responses, be sure to do the following: 1 Understand Automatic Responses and how it works with the System Tree and your network. 2 Plan your implementation, keeping in mind that certain users need to know about certain events. 3 Prepare the components and permissions used with Automatic Responses, including: • Automatic Responses permissions - Create or edit permission sets and ensure that they are assigned to the appropriate ePO users. • Email server - Configure the email (SMTP) server at Server Settings. • Email contacts list - Specify the list from which you select recipients of notification messages at Contacts. • Registered executables - Specify a list of registered executables to run when the conditions of a rule are met. • Server tasks - Create server tasks for use as actions to be carried out as a result of a response rule. • SNMP servers - Specify a list of SNMP servers to use while creating rules. You can configure rules to send SNMP traps to SNMP servers when the conditions are met to initiate a notification message. Tips on using automatic responses The areas that are specific to Host Intrusion Prevention information, the Host IPS Advanced Properties, are involved in setting filters, aggregating events, and configuring the action for the rule. To use these properties, set the event group to ePO Notification Events and the event type to Threat. Table 5: Host IPS Advanced Properties Properties Value API Name Name of the monitored API that triggered an event Direction In/Out/Either Host IPS Event Description Detailed description of the event Local IP Address Local IP address of the system involved in the event 26 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5