How Active Response works

Active Response is composed of a cloud service, the server, a set of extensions, and endpoint clients.

The Active Response client, which runs on managed endpoints, includes a Trace module that scans and captures data about potential threats (processes) on the managed endpoints. This data is then sent to cloud storage via the Data Exchange Layer. The Trace module is available on Microsoft Windows systems only.

The Active Response Threat Workspace, installed as an extension to McAfee® ePolicy Orchestrator® (McAfee® ePO™) , retrieves the data stored in the cloud and enables visualization of threats that are seen across the endpoints. In-depth investigation of a threat is performed in the Threat Workspace, with additional information retrieved on-demand from the endpoints by the Active Response server. You can remediate a threat from the Threat Workspace, and the remediation actions take effect immediately on the endpoints. You can also block future recurrences of a threat by changing the reputation of a process, which is updated in the Threat Intelligence Exchange server.

Overview

This diagram shows an overview of how Active Response works.



1 Active Response client

The Active Response client agent runs on endpoints. It enables:

  • Continuous collection of potential threat information
  • Responses to information queries from the Active Response server
  • Execution of remediation actions on specific threats

The incident information gathered from endpoints is aggregated and stored in the customer's cloud storage. Active Response supports both Windows and Linux endpoints. The Linux solution currently does not support the continuous incident-information gathering capability.

2 Data Exchange Layer

The DXL brokers and clients are the communication channel for Active Response operations. For details about using DXL, see the Data Exchange Layer Product Guide.

3 DXL Cloud Bridge

The DXL component that connects your network to the Active Response Cloud Storage and Services.

4 McAfee® ePolicy Orchestrator® (McAfee® ePO™) and Active Response extensions

McAfee ePO is the management platform for all McAfee products. The managed products have their own extensions. Active Response has two main extensions.

  • Threat Workspace — Enables the visualization of potential threat information gathered from the endpoints. In-depth investigation of a potential threat is performed in the Threat Workspace, with additional information retrieved on-demand from the endpoints by the Active Response server. You can remediate a potential threat from the Threat Workspace, and the remediation actions take effect immediately on the endpoints.
  • Active Response search — Enables real-time searches over the endpoints. It also provides the ability to save searches, create custom collectors, and define triggers and reactions.

5 Cloud Storage and Services

The potential threat information from the endpoints is stored in the cloud (up to 90 days of endpoint data). Aggregation of endpoint data in the cloud provides the overall health status of the enterprise. If endpoint data is not sent to the cloud, for example, if an endpoint is offline, the Threat Workspace displays past information only, if available in the cloud storage. If no potential threat information is available in the cloud for any of the endpoints, the Threat Workspace does not display potential threat information. Search features still retrieve real-time information from endpoints that are reachable.

6 Active Response server

This is the central coordinator of the Active Response solution. It communicates with the Active Response client running on managed endpoints to collect data and execute remediation actions.

7 Threat Intelligence Exchange servers

The reputation management system that provides reputation information and helps to investigate threats. You can override a reputation setting in the Threat Workspace, and that setting is sent to the TIE server and updated throughout your environment.