Active response

Active responses perform various countermeasures to address active threats, such as blocking access to an agent from the threat source when certain criteria are met.

Active responses execute a script in response to the triggering of specific alerts based on the alert level or rule group. Any number of scripts can be initiated in response to a trigger, however, these responses should be considered carefully. Poor implementation of rules and responses may increase the vulnerability of the system.

Contents

• How it works
  • When is an active response triggered?
  • Where are active response actions executed?
  • Active response configuration
  • Default Active response scripts
• Configuration
  • Basic usage
  • Windows automatic remediation
  • Block an IP with PF
  • Add an IP to the iptables deny list
  • Active response for a specified period of time
  • Active response that will not be undone
• FAQ
  • Can I use a custom script for active responses?
  • Can I configure active responses for only one host?
  • Can an active response remove the action after a period of time?