Active Actions
In the 'Job Scheduler', you can configure an 'Action' on the result of a search query.
List of available Actions:
- Email Action - Sends a message to the specified address. For more information, see here
- Incident Action - Creating an incident in the
Incident Managermodule. For more information, see here - Index Events - Writes the result of a query to the index. For more information, see here
- JDBC - Writes query results to external databases.
- Log Event - Writes the results of a search query to the
job_scheduler.logfile of theTask Schedulercomponent. - MITRE ATT&CK® - Tags events as triggers of techniques and subtechniques of the
MITRE ATT&CK®database and writes events to the index. - MITRE ATT&CK® Risk Scoring - Fixes the risk score in the trigger
- Run Job Action - Running a job from the
Job Schedule - Script - Run an existing script on the server
- Webhook - Creating an HTTP request to a remote server.
Email Action
Description:
- To - contains the email address of the recipient.
- Subject - contains any contextual information about the message the sender wants to include.
- Sign - signature at the end of the body.
- Body - message to send. Can use HyperText Markup Language (HTML).
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
- Enable time - adds server time when sending email.
- Enable table - adds a table with search results to the message body.
- Send file - a .csv file with the results of the search query will be added to the email.
- Merge - объединяет результаты поискового запроса в одно сообщение.
Incident Action
Description:
- Incident title - incident name
- Severity - severity events (critical, warning, norma, info).
- Workflow - incident handling workflow.
- Description - description of the incident.
- Drilldown Type - the type of action that caused the incident. The default is search.
- Drilldown Text - search query that triggered the incident.
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
- Incident Fields - show fields in the incident description. Accepts local or global values.
- Additional Fields - creating additional key-value fields in the incident card.
- Local parameters - key-value fields for using tokens. Can use local or global value.
Index Events
Description:
- Index name - index name.
- Update the document - if the parameter is enabled, the document is updated every time a request is executed, otherwise a new one is created.
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
JDBC
Description:
- User ID - username to connect to a database.
- Connection ID - database connection parameters.
- Table name - a database table to record the results of a search query.
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
Log Event
No customization options.
MITRE ATT&CK®
The result of the Action is written to the .smos_mitre-* index. The data in the index can be used to create incidents.
Description:
- Name - action name.
- Rule - name of the correlation rule for which this Action is configured.
- Layer - selecting the created layer in MITRE ATT&CK®.
- Technique - list of MITRE ATT&CK® techniques that are categorized for this incident.
- Severity - severity events (low, medium, high).
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
- Additional Fields - creating additional key-value fields in the incident card.
MITRE ATT&CK® Risk Scoring
The result of the Action is written to the .saf_risk-* index. Allows you to assign a risk score, for example, to a category of users or hosts for performing controlled actions. The data in the index can be used to create incidents.
Description:
- Название - action name.
- Risk category - by what entity the calculation is made (system and/or user).
- Risk score - number of risk score per operation.
- Fidelity - "weight" of the risk score. Accepts a value from 0 to 1.
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
- Additional fields - creating additional key-value fields in the incident card.
Run Job Action
Description:
- Select Action - selecting the name of an existing job in
Job Scheduler. - Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
Script
The script must be located on the server (with SAF Remote Execution running), which is specified in the settings of the Job Scheduler component. Allows you to run shell and python scripts.
Description:
- Path to the script - absolute path to the executable file on the server that needs to be run.
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
Webhook
Can be used to write search task results to an external system using HTTP requests.
Description:
- Protocol - selecting the http/https protocol.
- Host - address of the server getting requests.
- Port - port of the server getting requests.
- Request Action - type of request to the server (GET, POST, PUT, DELETE).
- Request - путь до ресурса из адресной строки после порта. Например,
path/to/sourceв строке https://example.source:443/path/to/source -
- Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result.
- Params - used to pass parameters in the address bar. Specified as a key-value pair. Example:
parameters
?param1=value1¶m2=value2in this string:https://example.source:443/path/to/source?param1=value1¶m2=value2 - Authorization - parameters for authorization on the server getting the request.
- Headers - can pass the headers to the receiving server as a key-value pair. For example, you can pass headers: User-Agent, Cookie, Authorization
- Body - body of the request.