Implementing response rules
Response rules are defined independently from policies.
You must have response rule authoring privileges to create and manage response rules.
- Review the available response rules.
- The Manage > Policies > Response Rules screen displays all configured response rules, and the starting point for adding new ones
- Click Add Response Rule to define a new response rule
- At the New Response Rule screen, select one of the following options:
- Automated Response - The system automatically executes the response action as the server
evaluates incidents (default option)
- Smart Response - An authorized user executes the response action from the Incident
Snapshot screen in the Enforce Server administration console
- Click Next to configure the response rule.
- Enter a response Rule Name and Description
- Optionally, define one or more Conditions to dictate when the response rule
executes. If no condition is declared, the response rule action always executes when there is a match (assuming that the detection rule is configured the same). Skip this step if you selected the Smart Response rule option
- Select and configure one or more Actions. You must define at least one action
- Click Save to save the response rule definition
- Decide the type of response rule to implement: Smart, Automated, both
- Determine the type of actions you want to implement and any triggering conditions
- Understand the order of precedence among the response rule actions of different and the same types
- Integrate the Enforce Server with an external system (if required for the response rule)
- Add a new response rule
- Configure response rules
To add an automated response rule to a policy
- Log on to the Enforce Server administration console with policy authoring privileges
- Navigate to the Manage > Policies > Policy List > Configure Policy screen for the policy you want to add a response rule to
- Select the response rule you want to add from those available in the drop-down menu
- 4 Click Add Response Rule to add the response rule to the policy