Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > About LEM response actions

About LEM response actions

Updated: September 15, 2017

See Create a new LEM rule to monitor and respond to events to learn how to create an active response rule.

About LEM active response

An active response (also called an event response) in LEM is an action that LEM takes in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response, the Detach USB Device active response, and so on.

The Respond drop-down menu in Monitor view provides a list of actions you can execute for a specific event message. Each Respond command opens the Respond form. This form includes data from the field you selected and options for customizing the action—similar to configuring the active response for a rule in the Rule Creation.

The Respond menu is context-sensitive. The event type or cell currently selected in the event grid determines which responses you can choose.

Select an event response

In the Respond form, you can use the default field information to complete the form.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Monitor view, locate an event in the event grid, and click Pause.

  3. Select the event in the grid.

  4. Click Respond and select an action.

    The drop-down menu contains a list of commonly-used actions. If your action does not appear in the list, select All Actions.

  5. In the Respond form, click the Action drop-down menu and verify the action to your selected event.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1200-Monitor_view_in_the_LEM_console/respond-menu2_271x145.png

  6. Complete any remaining fields in the form.

  7. Click OK to execute the action.

  8. Click Resume to receive new events in the event grid.

Select an event response using drag-and-drop text

In the Respond form, drag and drop information from the Event and Information fields into the configuration fields to complete the form. Use this method to add content to a blank configuration field or replace the content of an existing configuration field.

  1. In the Monitor view, locate an event in the event grid and click Pause.

  2. Select the event in the grid.

  3. Click Respond and select an action.

    The drop-down menu contains a list of commonly-used actions. If your action does not appear in the list, select All Actions.

  4. In the Respond form, click the Action drop-down menu and verify the action to your selected event.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1200-Monitor_view_in_the_LEM_console/respond-menu2_271x145.png

  5. In the Respond form’s event information grid, scroll to locate the field that contains the data element needed to configure the action.

  6. Click and drag an event field into the appropriate action configuration field.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1200-Monitor_view_in_the_LEM_console/respond-menu3_272x348.png

  7. Complete any remaining fields as required.

  8. Click OK to execute the action.

  9. Click Resume to receive new events in the event grid.

Use LEM active responses to perform Windows actions related to users, groups, and domains

Use the following user-based active responses to perform Windows-based actions related to users, groups, and domains on your LEM Agents.

  • Add Domain User To Group
  • Add Local User To Group
  • Create User Account
  • Create User Group
  • Delete User Account
  • Delete User Group
  • Disable Domain User Account
  • Disable Local User Account
  • Enable Domain User Account
  • Enable Local User Account
  • Log Off User
  • Remove Domain User From Group
  • Remove Local User From Group
  • Reset User Account Password

These actions are useful to respond to unauthorized change management activity and to automate user-related maintenance. They can be automated in a LEM rule, or executed manually from the Respond menu in the LEM console.

Configure an active response connector on a LEM Agent

Configure the Windows active response connector on each LEM Agent that requires active responses.

You can deploy your LEM Agents and configure the Windows active response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a LEM Agent to at least one domain controller. To perform actions at the local level, deploy a LEM Agent to each computer that requires a response.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log in as an administrator.

  2. Click Manage > Nodes.

  3. Locate the Agent in the Nodes grid that requires a connector.

  4. Click button-gear.png next to the Agent and select Connectors.

  5. Enter Windows Active Response in the Search box at the top of the Refine Results pane.

  6. Click button-gear.png next to the connector and select New.

  7. Enter a custom Alias for the new connector, or accept the default.

  8. Click Save.

  9. Click button-gear.png​​​​​​​ next to the new connector and select Start.

  10. Click Close to exit the Connector Configuration window.

Actions LEM can take to respond to events

The following table lists the various actions a LEM Manager can take to respond to events. These actions are configured in the Respond form when you are initiating an active response, and in the rules window’s Actions box when you are configuring a rule's automatic response.

The table’s Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists the primary data fields that apply with each action. Some data fields will vary, depending on the options you select.

Action Description Fields
Add Domain User To Group This action adds a domain user to a specified user group that resides on a particular Agent.

Domain Controller Agent

Select the event field or constant that defines the Agent on which the group to be modified resides.

To modify a group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines the group that is to be modified.

Username

Select the event field or constant that defines the user who is to be added to the group.

Add Local User To Group This action adds a local user to a specified user group that resides on a particular Agent.

Agent

Select the event field or constant that defines the Agent on which the group to be modified resides.

To modify a group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines the group that is to be modified.

Username

Select the event field or constant that defines the user who is to be added to the group.

Add User-Defined Group Element

This action adds a new data element to a particular user-defined group.

User-Defined Group Element

From the User-Defined Groups list, select the User-Defined Group that is to receive the new data Element.

Value

Select the event field or constant that defines the data element that is to be added to the specified User-Defined Group. The fields will vary according to which User-Defined Group you select.

Append Text To File

This action appends text to a file. This allows you to data from an event and put it in a text file.

Agent

Select the event field or constant that defines the Agent on which the file to be appended is located.

File Path

Select the event field or constant that defines the path to the Agent file that is to be appended with text.

Text

Select the event field or constant that defines the text to be appended to file.

Block IP

This action blocks an IP address.

IP Address

Select the event field or constant that identifies the device’s IP address.

Create User Account

This action creates a new user account on an Agent.

Agent

Select the event field or constant that defines the Agent on which the new user account is to be added.

To create a user account at the domain level, specify a domain controller as the Agent.

Account Name

Select the event field or constant that names the account that is to be created.

Account Password

Select the event field or constant that defines the password that is to be assigned to the new account.

Create User Group

This action creates a specified user group on an Agent.

A user group is a new group of Windows users on a Windows PC, server, or network who are external to the LEM system.

Agent

Select the event field or constant that defines the Agent on which the new user group is to reside.

To create a user group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines which user group is to be created.

Delete User Account

This action deletes a user account from an Agent.

Agent

Select the event field or constant that defines the Agent on which the user account is to be deleted.

To delete a user account at the domain level, specify a domain controller as the Agent.

Account Name

Select the event field or constant that names the account that is to be deleted.

Delete User Group

This action deletes a user group from a particular Agent.

Agent

Select the event field or constant that defines the Agent on which the user group to be deleted resides.

To delete a user group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines the user group that is to be deleted.

Detach USB Device

This action detaches a USB mass storage device that is connected to an Agent.

Agent

Select the event field or constant that defines the Agent from which the USB device is to be detached.

Device

Select the event field or constant that defines the device ID of the USB device that is to be detached.

Disable Domain
User Account

This action disables a Domain User Account on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be disabled.

Destination Account

Select the event field or constant that defines the account that is to be disabled.

Disable Local User Account

This action disables a local user account on an Agent.

Agent

Select the event field or constant that defines the Agent on which the local user is to be disabled.

Destination Account

Select the event field or constant that defines the account that is to be disabled.

Disable Networking

This action disables an Agent’s network access.

The result is that the specified Agent will be unable to connect to the network.

Agent

Select the event field or constant that defines the Agent that is to be disabled from the network.

Message

Type the message that is to appear on the Agent.

Disable Windows
Machine Account

This action disables a Windows machine account that resides on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the account is to be disabled.

Destination Account

Select the event field or constant that specifies which Windows account is to be disabled.

Enable Domain User Account

This action enables a Domain User Account on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be enabled.

Destination Account

Select the event field or constant that defines the account that is to be enabled.

Enable Local
User Account

This action enables a local user account on an Agent.

 

Agent

Select the event field or constant that defines the Agent on which the local user is to be enabled.

Destination Account

Select the event field or constant that defines the account that is to be enabled.

Enable Windows
Machine Account

This action enables a Windows machine account that resides on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the account is to be enabled.

Destination Account

Select the event field or constant that specifies which Windows account is to be enabled.

Incident Event

This action escalates potential issues by creating an Incident Event.

Event

Select which Incident Event the rule is to create.

Event Fields

From the list pane, select the events and constants that define the appropriate data elements for each event fields The fields vary, depending on which Incident Event event is selected.

Infer Event

This action escalates potentially irregular audit traffic into security events by creating (or “inferring”) a new event with a higher severity.

Event

Select which Event the rule is to infer.

Event Fields

From the list pane, select the events and constants that define the appropriate data elements for each event field. The fields vary, depending on the which event is selected.

Kill Process by ID

This action terminates the specified process on an Agent by using its process ID value.

Agent

Select the event field or constant that defines the Agent on which the process is to be terminated.

Process ID

Select the event field or constant that identifies the ID number of the process that is to be terminated.

Kill Process by Name

This action terminates the specified process on an Agent by referring to the process name.

Agent

Select the event field or constant that defines the Agent on which the process is to be terminated.

Process Name

Select the event field or constant that identifies the name of the process that is to be terminated.

Account Name

Select the event field or constant that identifies the name of the account that is running the process to be terminated.

Log Off User

This action logs the user off of an Agent.

Agent

Select the event field or constant that defines the Agent from which the user is to be logged off.

Account Name

Select the event field or constant that identifies the specific account name that is to be logged off.

Modify State Variable

This action modifies a state variable.

State Variable

From the State Variables list, drag the state variable that the rule is to modify.

State Variable Fields

From the appropriate component list, type or drag the data element that is to be modified in the state variable. The fields vary, depending on the which state variable is selected.

Remove Domain User From Group This action removes a domain user from a specified user group that resides on a particular Agent.

Domain Controller Agent

Select the event field or constant that defines the domain controller Agent on which the group to be modified resides.

Group Name

Select the event field or constant that defines the group that is to be modified.

User Name

Select the event field or constant that defines the user who is to be removed from the group.

Remove Local User From Group This action removes a local user from a specified user group that resides on a particular Agent.

Agent

Select the event field or constant that defines the Agent on which the group to be modified resides.

Group Name

Select the event field or constant that defines the group that is to be modified.

User Name

Select the event field or constant that defines the user who is to be removed from the group.

Remove User-Defined Group Element

This action removes a data element from a particular user-defined group.

User-Defined Group

From the User-Defined Groups list, select the user-defined group from which the specified data element is to be removed.

Value

Select the event field or constant that defines the data element that is to be removed from the specified user-defined group. The fields will vary according to which user-defined group you select.

Reset User Account Password

This action resets a user account password on a particular Agent.

Agent

Select the event field or constant that identifies the Agent on which the user password is to be reset.

To reset an account at the domain level, specify a domain controller as the Agent.

Account Name

Select the event field or constant that identifies the user account that is to be reset.

New Password

Select the event field or constant that defines the user’s new password.

Restart Machine

This action reboots an Agent.

Agent

Select the event field or constant that identifies the Agent that is to be rebooted.

Delay (sec)

Type the time (in seconds) after the event occurs that the Manager is to wait before rebooting the Agent.

Restart Windows Service

This action restarts the specified Windows service on an Agent.

Agent

Select the event field or constant that identifies the Agent on which the Windows service will be restarted.

Service Name

Select the event field or constant that identifies the name of the service that is to be restarted.

Send Email Message

This action sends a preconfigured email message to a predetermined email distribution list.

Email Template

Select the template that the email message is to use.

Recipients

Click the check boxes to select which users are to receive the email message.

Email Fields

Either drag a field from the components list, or select a constant from the components list to select the appropriate data elements that are to appear in each email template field. The fields vary, depending on which email template is selected.

Send Popup Message

This action displays a pop-up message to an Agent.

Agent

Select the event field or constant that identifies the Agent that is to receive the pop-up message.

Account Name

Select the event field or constant that identifies the user account to receive the message.

Message

Select the event field or constant that defines the message that is to appear on the Agent’s monitor.

Shutdown Machine

This action shuts down an Agent.

Agent

Select the event field or constant that identifies the Agent that is to be shut down.

Delay (sec)

Type the time (in seconds) after the event occurs that the Manager is to wait before shutting down the Agent.

Start Windows Service

This action starts the specified Windows service on an Agent.

Agent

Select the event field or constant that identifies the Agent on which the Windows service is to be started.

Service Name

Select the event field or constant that defines the Windows service that is to be started.

Stop Windows Service

This action stops the specified Windows service on an Agent.

Agent

Select the event field or constant that identifies the Agent on which the Windows service is to be stopped.

Service Name

Select the event field or constant that defines the Windows service that is to be stopped.

Last modified

Tags

Classifications

Public