How to integrate ATD 3.6.0 with Active Response

Version 1

    Introduction

         The purpose of this document is to guide the user through integrating ATD 3.6.0 with McAfee

         Active Response.  The outcome will be a list of hosts in a connected environment that have a file

         identified by ATD and available in an ATD report.

     

    Video

     

     

    Getting Started

     

         To the integration between ATD and Active Response was introduced in ATD version 3.6.0 and

         and integrates with MAR version 1.0 all other dependancies for DXL Broker, DXL client and McAfee

         Agent come from McAfee Active respoonse.

     

    Configuration

     

         In ATD navigate to the "Manage -->ePO Login/DXL" page.  Check the "Enable Active Response"

         box and hit "Apply"

     

        

     

         In ePO navigate to Menu-->Server Settings-->DXL Topic Authorization select "Edit" in the lower right corner

     

        

         In the "Edit DXL Topic Authorization" window find the MAR Server API column.  You'll notice that only the

         MARSERVER is allowed to communicate via Send and Recieve Tags.  We need to add ATD to the Send

         Tags column.  To do this select the box next to the "MAR Server API" then "Action" on the bottom left

     

     

         In the "Restrict Send Tags" window that opens select the tag "ATDDXL" then select "ok" then "save"

     

        

        

     

         To verify the tag go to your System Tree, find  your ATD appliance and see which tags are listed in the "Tags"

         column.  In my ePO I have both the"ATDDXL" and "workstation" tag.

             *Note if possible only select the "ATDDXL" tag as the "workstation" tag applies to a broader definition


        

     

         ATD is now able to run a query and report which systems have the file sample just run in the sandbox.