Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Use the Computer-based active responses in LEM

Use the Computer-based active responses in LEM

Updated: September 15, 2017

 

To perform Windows-based actions related to computers and computer services on your LEM Agents, use the following Computer-based active responses. These actions are useful to respond to insider abuse, computer infections, and other suspicious activity. They can be automated in a LEM rule, or executed manually from the Respond menu in the LEM console.

  • Disable Windows Machine Account1
  • Enable Windows Machine Account1
  • Disable Networking
  • Detach USB Device
  • Restart Machine
  • Restart Windows Service
  • Send Popup Message
  • Shutdown Machine
  • Start Windows Service
  • Stop Windows Service

Requirements

Configure the Windows Active Response connector on each LEM Agent on which you want to be able to use these active responses.

Deploy your LEM Agents and configure the Windows Active Response connector based on where you want to perform these actions. To perform actions at the domain level, deploy a LEM Agent to at least one domain controller. To perform actions at the local level, deploy a LEM Agent to each computer you want to be able to respond to.

To configure the Windows active response connector on a LEM Agent

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click the Manage tab, and then select Nodes.

  3. Locate the LEM Agent on which you want to enable the connector.

  4. Click the gear icon to the left of the LEM Agent, and then select Connectors.

  5. Enter Windows Active Response in the Search box at the top of the Refine Results pane.
  6. Click the gear icon next to the connector, and then select New.

  7. Enter a custom Alias for the new connector, or accept the default.

  8. Click Save.

  9. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then select Start.

  10. Click Close to exit the Connector Configuration window.

Create or clone rules to perform the action:

  1. When creating or cloning a rule, locate the action in the lower left part of the Rule Creation screen.

  2. Drag the action under the rule Actions.

  3. Fill in the appropriate fields.
Last modified

Tags

Classifications

Public