After the security scope is in the Protected Mode, you can review and edit the rule behavior. By default, the only remediation action is set to Alert and the enforcement is automatic. If the behavior is malicious, you can change the remediation action.

Prerequisites

The security scope is in the Protected Mode.

Procedure

  1. Log in to the AppDefense Manager.
  2. From the left navigation pane, click Scopes.
    The Scopes home page appears.
  3. Click the required scope.
  4. Go to the Services tab.
  5. Click the behavior card for which you want to edit the rule settings.
  6. On the process details page, click Edit.
  7. Go to the Rules tab.
  8. Click Edit.
  9. Go to the required rule and next to Remediation Action, select the arrow next to Alert.
  10. Select the required remediation action that you want to set for the rule. You can select the following actions:
    Note: The user with an Analyst role can select advanced remediation actions such as quarantine, suspend, or power off, only when permitted by the Administrator.
    Remediation Action Description
    Quarantine Removes virtual machine from the network, isolating the virtual machine from rest of your environment. To use the Quarantine action, AppDefense must be integrated with NSX Data Center. For more details on integration, refer to Configuring the Quarantine Remediation Action With NSX Data Center in Installing AppDefense.
    Suspend Suspends the virtual machine directly on the vCenter Server.
    Power Off Virtual machine is powered off directly on the vCenter Server.
    Snapshot Takes the snapshot of the virtual machine.
    Alert Is the default remediation action. An alert is displayed on the AppDefense Manager> Alerts page.
    Block and Send Alert This action blocks the process or the connection. Process monitoring blocks the process before it starts running. Block and Send Alert remediation action for process monitoring is not supported for Linux members.
    Kill Process Terminates all instances of the selected CLI(s) for that process along with the associated network connections. The Kill Process applies to all behaviors for the corresponding process.
  11. Select the rule enforcement method.
    • If you want to take certain remediation actions by your own, you can change the settings to manual. Click Manually from the list. The default behavior for that rule is set to provide a manual remediation action. Manual option is not available for Alert and Block and send alert actions.
    • If you want system to automatically take remediation action, click Automatically from the list.
      Note: Automatic remediation actions apply only to critical alerts and not to the monitoring events.
  12. Click Update.

Results

Rule settings are updated and alerts are received based on the rule settings.