4.6 Correlation Actions
The Action Manager allows you to configure repeatable actions. There are several different types of actions that can be configured and then associated with a correlation rule deployment:
NOTE:Although all of these actions can be used in Correlation rule deployments, only the JavaScript actions can be used in other areas of the Sentinel Control Center. For more information, see Section 17.0, Action Manager and Integrator.
Actions associated with a Correlation rule are executed when the deployed Correlation rule fires (with the frequency of the execution determined by settings on the Update Criteria window of the Correlation Rule Wizard).
If no action is specifically selected when deploying a correlation rule, a correlated event with the following default settings is created:
Table 4-4 Default Settings
|
Field Name |
Default Values |
|---|---|
|
|
4 |
|
|
Final Event Name |
|
|
<message> |
|
|
Correlation |
|
|
<Rule Name> |
4.6.1 Configuring a Correlated Event
Figure 4-2 Configure Correlated Event
NOTE:This type of action can only be used in Correlation deployments.
To override the default values for the correlated event created when a rule fires, an action can be created to populate the following fields in the correlated event:
-
Severity
-
Event Name
-
Message
-
Resource
-
SubResource
4.6.2 Adding to a Dynamic List
Figure 4-3 Adding to a Dynamic List
NOTE:This type of action can only be used in Correlation deployments.
This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) to an existing dynamic list. Any values that are repeated across multiple events are only added to the dynamic list once. The various parameters available are:
Table 4-5 Parameters
If there are entries for both and , both are added to the dynamic list when the rule fires. If the Element Value is filled in and the Element Type is Transient, the time stamp for the element in the dynamic list is updated each time the rule fires.
4.6.3 Removing a Value from a Dynamic List
Figure 4-4 Removing a Value from a Dynamic List
NOTE:This type of action can only be used in Correlation deployments
This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) from an existing dynamic list. The various parameters available are:
4.6.4 Executing a Command
Figure 4-5 Executing a Command
NOTE:This type of action can only be used in Correlation deployments
This action type can be used to execute a command when a correlated event triggers. You can set the following parameters:
Command: Arguments: This can include constants or references to an event attribute in the last event, the one that caused the rule to fire.
References to event attributes must use the values in the meta tag column enclosed in % or $ symbols. For example, %InitIP% represents the initiator IP address value from the Correlated event, except in the Configure Correlated Event action. Because the Correlated event was not created before the action is executed, the InitIP value comes from the trigger event. $InitIP$ always represents the value from the current event. Both %all% and $all$ are the same, and they pass information (a limited set of attributes from both the trigger event and the Correlated event along with some Correlation rule data) to a Correlation action. They are provided primarily for backward compatibility with existing Correlation actions. They cannot be used in JavaScript actions or in the Configure Correlated Event action. For more information on meta tags, see Sentinel 6.1 Rapid Deployment Event Fields
in the Sentinel Rapid Deployment Reference Guide.
Command actions can be created to perform a non-interactive action, such as modifying a firewall policy, entering a record in a database, or deactivating a user account. For an action that generates output, such as a command to run a vulnerability scan, the command should refer to a script that runs the command and then writes the output to a file.
NOTE:By default, the action output is stored to the working directory, <install_directory>/data. The action output can be written to a different directory by specifying a different storage location for the output file in the script
4.6.5 Creating an Incident
Figure 4-6 Configure Action:Create Incident
NOTE:This type of action can only be used in Correlation deployments.
This action type create an incident whenever a correlated event fires. You can also initiate an iTRAC workflow process for remediation of that incident. For more information about the values of the following parameters, see Section 5.0, Incidents Tab.
-
Responsible
-
Title
-
Category
-
Severity
-
Priority
-
State
-
(Optional) iTRAC Process list for configured iTRAC processes
-
(Optional) Action Plugin to Execute list for configured JavaScript actions
IMPORTANT:Do not enable the Create Incident action until the correlation rule has been tuned. If the rule fires frequently, the system can create more incidents or initiate more iTRAC workflow processes than desired.
4.6.6 Sending an E-mail
Figure 4-7 Configure Action: Send Email
NOTE:This type of action can only be used in Correlation deployments
This action type can be used to send an e-mail when a correlated event triggers. The various parameters available are:
4.6.7 Imported JavaScript Action Plugins
For information on JavaScript actions and how to debug them, see Section 17.1, Action Manager. The JavaScript actions can be used in many places throughout the Sentinel interface.