McAfee Active Response collects real-time data from managed endpoints. Active Response collectors are components that run on managed endpoints, executed by search expressions. Collectors specify what data to collect from managed endpoints, and how to report it back to Active Response. There are two main types of collectors:
Built-in – Active Response provides these collectors by default, available after installation.
Custom – You create these collectors to gather specific data.
A name and description identify each collector. Give meaningful names and descriptions to collectors, based on the domain of the collected data, to easily find them in the Active Response Catalog.
A collector's content specifies the code that Active Response executes on a managed operating system to collect data.
The data returned by a collector is accessible through the collector's output fields. The output data fills the search results table after running a search expression. To create columns for the result table, a collector defines three attributes:
Name — Sets a column header.
Type — Specifies a data type for the values in the column.
Show by default — Sets the column to appear by default in the search results table.
Walkthrough – Custom Collector Creation
1. Open the Active Response Catalog and select Collectors. Click "New Collector"
2. Enter a name and description for this collector. We will create a Date & Time collector, which will return the Date & Time on our McAfee Active Response monitored endpoints.
3. In the windows Collector Content, select Type: Visual Basic Script. In the accompanying text box, enter:
WScript.Echo Date() & "," & Time()
4. The custom collector will have two outputs.
5. Click the “Save” button at the top of the screen to save your new custom collector.
6. If you now run a DateTime Search, you should see the relevant values for all systems in your environment.