59
ePolicy Orchestrator
®
3.6 Walkthrough Guide
Rogue System Detection
Configuring automatic responses for specific events
5
Configuring automatic responses for specific events
You can configure automatic responses so that ePolicy Orchestrator responds
automatically to the Rogue System Detection events. There are two specific Rogue
System Detection events for which you can configure automatic responses:
Rogue Machine Detected
. A new system is found that had not already found in the
ePolicy Orchestrator database.
Subnet Uncovered
. A subnet in your network, that does not have a rogue system
sensor installed, is discovered.
You can also configure responses for any event.
An automatic response can contain one or more of the actions described in the
following table. For example, if you configure a response to deploy an ePolicy
Orchestrator agent to newly-detected systems, you may also want to send an e-mail to
administrators to follow up on the agent installation.
Table 5-5 Actions available for automatic responses
Action
Description
Add to ePO tree
Adds the system to a
Rogue System
site within the Directory.
After the system is added to this site, you can move the system
to an appropriate location manually.
Mark for Action
Selects the detected system as a system still needing action.
Mark as Exception
Marks selected system as a machine that does not require an
agent. For example, routers and printers.
For example, in your organization you may reserve a range of IP
addresses within each subnet for network equipment such as
routers, switches, and printers. You can create an automatic
response to mark such equipment as exceptions and add a
condition to initiate the response only if the detected system’s IP
address falls within a certain range. Or, maybe you use certain
vendors for network equipment that are always different from
your vendors for server or workstation systems. In this case, you
can use the
OUI Org
condition to initiate an automatic response
to mark systems as exceptions if the system’s MAC address
contains a specific vendor code.
Push ePO Agent
Instructs the server to deploy an agent to the selected system.
Query ePO agent
Queries the detected system to ascertain whether there is an
agent installed on it. This query is required when using the
Alien
Agent
rogue type.
Consider creating an automatic response that uses this action if
you have multiple servers in your network. If travellers from
other parts of your organization frequently log onto your
network, they appear as rogue systems even if they have an
agent from another server installed.
Remove Host
Hides the detected system in the
Machine List
table but does not
delete it from the database.
Send E-mail
Sends a pre-configured e-mail message to pre-configured
recipients.
Send ePO Server Event
Forwards Rogue System Detection and Subnet Uncovered
events to the server. This is required if you plan to use
Notifications to automatically send e-mail alerts for Rogue
System Detection events.
Summary of Contents for ePolicy Orchestrator
Page 2: ......