cancel
Showing results for 
Search instead for 
Did you mean: 

How To - Creating Reactions

Creating Reactions


Introduction


McAfee Active Response enables you to both manually or automatically specify actions to take on managed endpoints through the use of Reactions. Reactions can either be triggered automatically through the use of “Triggers” or manually during the course of an investigation using McAfee Active Response Search. A reaction specifies an action to take on managed endpoints.

The central part of a Reaction is the content.  This represents a script that will run on the endpoint when the Reaction is triggered. Reaction content supports arguments, which may be passed in from the triggering trigger.

For a full description of Reaction content syntax, see the McAfee Active Response Product Guide, as well as Release Notes.

Walkthrough – Creating Reactions


This walkthrough will create two reactions, one that writes a timestamp to a local log file when it is triggered, and the 2nd one will be a simple reaction that displays a simple dialog to the local user.

1.Open the Active Response Catalog, select Reactions, and click “New Reaction”.

1.jpg

2. Enter a name and description.

2.jpg

3.For the reaction content, enter:


          time ^/t  >> c:\traplog.txt

          (The ‘^’ character is a mandatory escape sequence, required for the slash character in this context.)


3.jpg

4.There are no Arguments for this Reaction.  Save the Reaction.

5.As a second example, we’ll create a Reaction that displays a simple dialog to the local user. Create a new Reaction.

4.jpg

6.Enter the content for the Reaction.

          msg * File {{filename}} created

5.jpg

7.Enter Arguments for the Reaction. You’ll see in the content above we have referenced the filename argument by enclosing it in {{braces}}. Save the reaction once you are done.

6.jpg

We have successfully created a reaction that can be used by triggers that we create in the future. Additionally this reaction can also be executed from the McAfee Active Response search results, which is shown in the McAfee Active Response Product Guide.

Version history
Revision #:
1 of 1
Last update:
‎09-30-2015 03:06 PM
Updated by: