cancel
Showing results for 
Search instead for 
Did you mean: 

How to integrate ATD 3.6.0 with Active Response

Introduction

     The purpose of this document is to guide the user through integrating ATD 3.6.0 with McAfee Active Response. The outcome will be a list of hosts in a connected environment that have a file identified by ATD and available in an ATD report.

Video

 

Getting Started

     To the integration between ATD and Active Response was introduced in ATD version 3.6.0 and integrates with MAR version 1.0 all other dependancies for DXL Broker, DXL client and McAfee Agent come from McAfee Active respoonse.

Configuration

     In ATD navigate to the "Manage -->ePO Login/DXL" page.  Check the "Enable Active Response" box and hit "Apply"

    

 

     In ePO navigate to Menu-->Server Settings-->DXL Topic Authorization select "Edit" in the lower right corner

 

     In the "Edit DXL Topic Authorization" window find the MAR Server API column.  You'll notice that only the MARSERVER is allowed to communicate via Send and Recieve Tags.  We need to add ATD to the Send Tags column.  To do this select the box next to the "MAR Server API" then "Action" on the bottom left 

     In the "Restrict Send Tags" window that opens select the tag "ATDDXL" then select "ok" then "save"

    

    

     To verify the tag go to your System Tree, find your ATD appliance and see which tags are listed in the "Tags" column.  In my ePO I have both the"ATDDXL" and "workstation" tag.

         *Note if possible only select the "ATDDXL" tag as the "workstation" tag applies to a broader definition

    

     ATD is now able to run a query and report which systems have the file sample just run in the sandbox.    

 

    

Comments

Hi ,

have you testet Active Response if you have the following DXL infrastructure??

1) EPO_A with TIE_A and DXLBroker_A and MAR_Server_A

2) EPO_B with TIE_B and DXLBroker_B

TIE_A has a incoming bridge for TIE_B.

TIE_B has a outgoing bridge for TIE_A.

In my lab i habe the following problems.

Problem A: Client managed by EPO_A connects to a DXL Broker from EPO_B. Afterwards DXL is not working any more for the Client.

Problem B: Active Response Queries are not working if the Client is not directly connected to the DXL Broker on MAR Server.

Any Ideas??

Cheers

Contributors
Version history
Revision #:
2 of 2
Last update:
‎02-23-2018 07:02 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community