How does McAfee Active Response (MAR) arrive at its behavioral definitions?
Behaviors are associated with trace rules. When a rule matches, the associated behavior is shown as part of the activity and potential threat in the workspace.
For instance, if a process tries to write a value in the HKLM\...\Run key that matches a trace rule associated with persistence behavior, this definition will be applied.
Are Active Response queries passed from ePolicy Orchestrator to the MAR server via HTTPS (API) or via DXL?
Queries passed from ePolicy Orchestrator (ePO) to the MAR server use HTTPS and the REST API.
Does the MAR server need to contact the internet directly?
The MAR server does not need a direct internet connection. If the DXL broker is installed on the same appliance and configured in Bridge mode, MAR needs an internet connection to send traces to the cloud.
What is the recommended governance around the ePO Cloud Account? What happens to data if the account expires or the ePO cloud administrator leaves the company?
Cloud accounts do not expire. McAfee will not delete the account, so you can continue to use MAR without an issue. To protect against employee turnover, make sure that your administrator creates extra logons through Business Platform Services (BPS) so that the account can be taken over.
MAR is installed properly, but the Active Response Workspace fails to show trace data despite having known High Risk/Suspicious/Monitored threats monitored on endpoint systems. Why does this issue occur?
You must enable the DXL Broker Extension to provide trace data to MAR Workspace. This setting must be enabled as part of the installation process for MAR 2.x. But, you can enable it at any time.
- Open the ePO console and navigate to Server Settings.
- Select DXL Topology, Edit.
- Select your DXL Broker.
- Next to Broker Extension, select the Provides trace data to the cloud for MAR Workspace option.
- Click Save.
