Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Discovery Policies > Copying or moving discovered files > Preparing and running the remediation scripts
Preparing and running the remediation scripts
Administrator Help | TRITON AP-DATA | Version 8.3.x
STEP 1: Configure CopyFiles and MoveFiles
1.
Open the scripts in Notepad. By default, they're located in the RunCommands directory where TRITON AP-DATA is installed.
2.
In the CopyFiles script, define the destination of the copied files in the "Location" field. This location should either be a network share accessible to all servers and/or endpoints running discovery in the form of a UNC path, or a local path on the server and/or endpoints running discovery. For example:
*
Location = r'\\InfosecServer1\Quarantine'
or
*
Location = r'c:\secure\quarantine'.
Using a network location is usually recommended but might not be possible if you are performing endpoint discovery on endpoints that are not always connected to the corporate network. When performing endpoint discovery and choosing a local quarantine, be sure to exclude that folder from all the discovery tasks to avoid triggering incidents on the quarantine.
Notice that the remediation script does not perform any deletions from the quarantine location, so it is up to you to perform routine cleanup operations on this location.
3.
In the MoveFiles script, define the destination of the moved files in the "Location" field. Refer to step 2 for requirements in this field.
*
DaysKeepActiveFiles - Number of days to keep files parameter.
*
QuarantineMsg - Stubbed file created by MoveFiles
4.
In the Data module of the TRITON Manager, select Main > Policy Management > Resources > Remediation Scripts.
5.
Select New > Endpoint Script or Policy Script.
6.
Enter a name and description for one of the discovery scripts.
7.
Browse to the executable file of interest: CopyFiles.py or MoveFiles.py. By default, they're located in the RunCommands directory where TRITON AP-DATA is installed. Note that it is not necessary to complete the fields on the Linux tab of the Add Policy Remediation Script window.
8.
Enter a user name and password for an administrator that has: read permissions to the archive folder, access to all directories in the network, and read/write privileges to all files scanned in the discovery. CopyFiles needs read permissions to all scanned files, and read/write permission to the archive (quarantine) folder. MoveFiles also needs write permissions to all scanned files.
9.
Click OK.
10.
Repeat steps 4-9 for the other script.
STEP 2: Add the remediation scripts to an action plan
1.
Select Main > Policy Management > Resources > Action Plans.
2.
Select an action plan or select New from the toolbar.
3.
On the Discovery tab, do one of the following:
*
Select the check box Run remediation script, and select the script to run.
*
Select the check box Run endpoint remediation script, and select the script to run for endpoint discovery.
4.
Click OK.
STEP 3: Add the action plan to a policy
1.
Select Main > Policy Management > Discovery Policies.
2.
Select the rule of interest and click Edit.
3.
Navigate to the Severity & Action page.
4.
Select the action plan.
5.
Click OK.
4. Deploy your changes
The remediation script will run when discovery incidents are triggered on the selected policy.
* 
Note 
Keep in mind: The users that you define in the User Credentials above should be users that:
*
Are administrators with access privileges to all directories in the network.
*
Have read/write privileges to all files that are scanned by the discovery process
If remediation scripts will access shares that are under a Active Directory domain, the Data Security server must be part of the domain as well.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Discovery Policies > Copying or moving discovered files > Preparing and running the remediation scripts
Copyright 2016 Forcepoint LLC. All rights reserved.