Setting up automatic responses Take immediate action against threats and outbreaks by automatically executing commands or sending emails when events occur. McAfee ePO responds when the conditions of an automatic response rule are met. You specify the actions that make up the response, and the type and number of events that must meet the condition to trigger the response. By default, an automatic response rule can include these actions: Create an issue. Execute server tasks. Run external commands. Run system commands. Send an email message. Send SNMP traps. Note: You can also configure external tools installed on the McAfee ePO server to run an external command. Managed products increase the number of actions you can select. The products that you manage with McAfee ePO determine the types of events you can create an automatic response rule for. Here are some typical conditions that might trigger an automatic response: Detection of threats by your antivirus software. Outbreak situations. For example, 1,000 virus-detected events are received in five minutes. High-level compliance of McAfee ePO server events. For example, a repository update or a replication task failed. Using Automatic Responses You can specify which events trigger a response, and what that response is. Event thresholdsSetting event thresholds lets you tailor the frequency of automatic responses to fit the needs and realities of your environment. Default automatic response rulesEnable the default McAfee ePO response rules for immediate use while you learn more about the feature. Response planningBefore creating automatic response rules, think about the actions you want the McAfee ePO server to take. Determine how events are forwardedDetermine when events are forwarded and which events are forwarded immediately. Choose a notification interval This setting determines how often the automatic response system is notified that an event has occurred. Viewing Automatic Responses pageCreate, edit, view, or delete automatic responses for specific types of events. Actions page (Response Builder)Specify one or more actions to take in response to an event. The event type you specified in the Description page of the Response Builder determines available actions. You can specify multiple actions to take by clicking +. Each action must be configured using the action options defined in the table. Aggregation page (Response Builder)Use the Aggregation page of the Response Builder to specify how many times you want the response to be triggered by the event, and whether you want to group the events using a specific filter. Description page (Automatic Response Builder)Use the Description page of the Response Builder to specify a name, a description, event group and type, and status for an automatic response. Edit Email Server pageConfigure the email server that McAfee ePO uses to send automatic email messages from the cloud to selected individuals. Edit Event Filtering pageUse this page to specify which events are forwarded to the McAfee ePO server. Edit Event Notifications pageUse this page to specify the startup of Notification Events, and the interval between the Notifications to check for new events. Edit Response Configuration pageUse this page to configure the McAfee ePO response server settings. Filter page (Response Builder)Use the Filter page of the Response Builder to specify the criteria to use for filtering events. Import Response Rules page Review the rules and their details, and choose whether they are enabled before importing. Rules are displayed in the pane on the left, details on the right. Click each rule to review the details. Import Response Rule pageUse this page to import a previously exported response rule. The default format of the exported response rule file is Rule_<ResponseRuleName>.xml. Response Details pageUse this page to view response details. Summary page (Response Builder)Allows you to review the information for the automatic response to an event. Client Events page Use this page to check for client events for the selected system.
Setting up automatic responses Take immediate action against threats and outbreaks by automatically executing commands or sending emails when events occur. McAfee ePO responds when the conditions of an automatic response rule are met. You specify the actions that make up the response, and the type and number of events that must meet the condition to trigger the response. By default, an automatic response rule can include these actions: Create an issue. Execute server tasks. Run external commands. Run system commands. Send an email message. Send SNMP traps. Note: You can also configure external tools installed on the McAfee ePO server to run an external command. Managed products increase the number of actions you can select. The products that you manage with McAfee ePO determine the types of events you can create an automatic response rule for. Here are some typical conditions that might trigger an automatic response: Detection of threats by your antivirus software. Outbreak situations. For example, 1,000 virus-detected events are received in five minutes. High-level compliance of McAfee ePO server events. For example, a repository update or a replication task failed. Using Automatic Responses You can specify which events trigger a response, and what that response is. Event thresholdsSetting event thresholds lets you tailor the frequency of automatic responses to fit the needs and realities of your environment. Default automatic response rulesEnable the default McAfee ePO response rules for immediate use while you learn more about the feature. Response planningBefore creating automatic response rules, think about the actions you want the McAfee ePO server to take. Determine how events are forwardedDetermine when events are forwarded and which events are forwarded immediately. Choose a notification interval This setting determines how often the automatic response system is notified that an event has occurred. Viewing Automatic Responses pageCreate, edit, view, or delete automatic responses for specific types of events. Actions page (Response Builder)Specify one or more actions to take in response to an event. The event type you specified in the Description page of the Response Builder determines available actions. You can specify multiple actions to take by clicking +. Each action must be configured using the action options defined in the table. Aggregation page (Response Builder)Use the Aggregation page of the Response Builder to specify how many times you want the response to be triggered by the event, and whether you want to group the events using a specific filter. Description page (Automatic Response Builder)Use the Description page of the Response Builder to specify a name, a description, event group and type, and status for an automatic response. Edit Email Server pageConfigure the email server that McAfee ePO uses to send automatic email messages from the cloud to selected individuals. Edit Event Filtering pageUse this page to specify which events are forwarded to the McAfee ePO server. Edit Event Notifications pageUse this page to specify the startup of Notification Events, and the interval between the Notifications to check for new events. Edit Response Configuration pageUse this page to configure the McAfee ePO response server settings. Filter page (Response Builder)Use the Filter page of the Response Builder to specify the criteria to use for filtering events. Import Response Rules page Review the rules and their details, and choose whether they are enabled before importing. Rules are displayed in the pane on the left, details on the right. Click each rule to review the details. Import Response Rule pageUse this page to import a previously exported response rule. The default format of the exported response rule file is Rule_<ResponseRuleName>.xml. Response Details pageUse this page to view response details. Summary page (Response Builder)Allows you to review the information for the automatic response to an event. Client Events page Use this page to check for client events for the selected system.