So I know HIPS does detect port scans as I confirmed it by looking through the agent logs. It did see the scan take place and recorded info. My question is, how do I get a triggered response using the "automatic response" feature in EPO 4.5?
We do not use HIPS and I could offer only some clues that I think might be useful.
So, I would setup an AR to Client Events, and try the Filter conditions as follows:
- Event Description EQ Host Intrusion detected and handled
- tentative: Error EQ (depending on HIPS event list, if any, here)
also used the Type and Event ID as these further could narrow the events (for port blocking, for example).
My practice is that I run several SELECTs directly on the database to gather the useful information on fields and their content and then prepare the AR based on what I find.
I hope I could be of some help. If not, I am sorry.