FAQs for McAfee Active Response
Last Modified: 2021-07-29 16:38:46 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
FAQs for McAfee Active Response
Technical Articles ID:
KB88459
Last Modified: 2021-07-29 16:38:46 Etc/GMT Environment
McAfee Active Response (MAR) 2.x
Summary
How does MAR arrive at its behavioral definitions? Behaviors are associated with trace rules. When a rule matches, the associated behavior is shown as part of the activity and potential threat in the workspace. For instance, if a process tries to write a value in the HKLM\...\Run key that matches a trace rule associated with persistence behavior, this definition will be applied. Are MAR queries passed from ePolicy Orchestrator (ePO) to the MAR server using HTTPS (API) or DXL? Queries passed from ePO to the MAR server use HTTPS and the REST API. Does the MAR server need to contact the internet directly? The MAR server does not need a direct internet connection. If the DXL broker is installed on the same appliance and configured in Bridge mode, MAR needs an internet connection to send traces to the cloud. What is the recommended governance around the ePO Cloud Account? What happens to data if the account expires or the ePO cloud administrator leaves the company? Cloud accounts do not expire. McAfee Enterprise will not delete the account, so you can continue to use MAR without an issue. To protect against employee turnover, make sure that your administrator creates extra logons through Business Platform Services (BPS) so that the account can be taken over. MAR is installed properly, but the Active Response Workspace fails to show trace data despite having known High Risk/Suspicious/Monitored threats monitored on endpoint systems. Why does this issue occur? You must enable the DXL Broker Extension to provide trace data to MAR Workspace. This setting must be enabled as part of the installation process for MAR 2.x. But, you can enable it at any time.
Affected ProductsLanguages:This article is available in the following languages: |
|