Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Archive > 2017October27 - Deletes > Using the Kill Process Active Response

Using the Kill Process Active Response

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 27, 2017

Views: 26 Votes: 0 Revisions: 5

Use the Kill Process active response to end Windows-based processes in your LEM agents. This response helps to stop suspicious or unauthorized processes. You can automate the response using a LEM rule or manually execute the response from the Respond menu in the LEM Console.

Configure the Windows Active Response connector on a LEM agent where you need an active response.

  1. Open your LEM Console and log in to your LEM Manager as an administrator.
  2. Click Manage > Nodes.
  3. Locate the LEM agent that requires the active response connector.
  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0B0/Button-Gear_18x15.png next to the targeted LEM agent and select Connectors.
  5. Enter Windows Active Response in the Refine Results search box.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0B0/Button-Gear_18x15.png next to the connector and select New.
  7. Enter a custom alias for the new connector or accept the default.
  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0B0/Button-Gear_18x15.png next to the new connector and select Start.
  10. Click Close to exit the Connector Configuration window.

Configure a Kill Process active response rule

You can configure the rule a process by the detection IP address or the process name. Determine the type of event that trigger the rule, which is typically an event like ProcessAudit.

The Kill Process active response functions according to the ProcessID field value of the corresponding LEM alert. Use Kill Process By ID when the ProcessID value is a number, and use Kill Process By Name when the ProcessID value is a name.

When you create LEM rules that utilize these actions, consider using both to account for variations in Windows logging.

  1. Click Build > Rules.
  2. Select a rule template or an existing rule, or click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0B0/Button-Plus-Black_16x15.png in the toolbar to create a new rule.
  3. Click the Events tab and select Process Audit.
  4. To kill a process by the detection IP address: 
    1. Click the Events tab and select ProcessAudit.
    2. In the Fields: ProcessAudit menu, click and drag the DetectionIP field into the Correlations box.

    To kill a process by name: 

    1. Click the Events tab and select ProcessAudit.
    2. In the Fields: ProcessAudit menu, click and drag the DetectionIP field into the Correlations box.
    3. In the Fields: ProcessAudit menu, click and drag the SourceAccount field into the Correlations box.
  5. Click Save.
  6. Click Activate Rules.
Last modified

Tags

Classifications

Public