Skip to main content
Version: 5.0

Active Actions

In the 'Job Scheduler', you can configure an 'Action' on the result of a search query.

List of available Actions:

  • Email Action - Sends a message to the specified address. For more information, see here
  • Incident Action - Creating an incident in the Incident Manager module. For more information, see here
  • Index Events - Writes the result of a query to the index. For more information, see here
  • JDBC - Writes query results to external databases.
  • Log Event - Writes the results of a search query to the job_scheduler.log file of the Task Scheduler component.
  • MITRE ATT&CK® - Tags events as triggers of techniques and subtechniques of the MITRE ATT&CK® database and writes events to the index.
  • MITRE ATT&CK® Risk Scoring - Fixes the risk score in the trigger
  • Run Job Action - Running a job from the Job Schedule
  • Script - Run an existing script on the server
  • Webhook - Creating an HTTP request to a remote server.

Email Action

Description:

  • To - contains the email address of the recipient
  • Subject - contains any contextual information about the message the sender wants to include
  • Sign - signature at the end of the body
  • Body - message to send. Can use HyperText Markup Language (HTML)
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Enable time - adds server time when sending email
  • Enable table - adds a table with search results to the message body
  • Send file - a CSV file with the search query results will be attached to the email
  • Merge - combines the results of a search query into a single message

Incident Action

Description:

  • Incident title - a short title used to identify the incident in the general list
  • Severity - the importance level of the incident
  • Workflow - the associated workflow process
  • Incident Description - a detailed explanation of the incident; the editor supports Github Flavored Markdown
  • Drilldown Type - the format of additional information:
    • Search – a search query that includes the event or additional incident details. You can set a time range to define the search scope -Link - a URL to external information such as documentation
  • Details - either a search query or a URL that provides additional context. If the type is Search, a time range can be specified to define the window for the search when accessing the incident. If not specified, the time boundaries from the task execution will be used
  • Execution Settings – configuration for when and how the active action is triggered
    • Do not trigger for each result – creates a single incident even if the search returns multiple results
  • Custom Fields – configurable fields defined in the module settings
  • Fields from Search Results – key-value pairs extracted from the search task results
  • Inventory Linking – configuration for linking the incident to an Inventory object and selecting the relevant fields. For more information, see [this page] (to be linked after Anton's article is merged)
  • Local Parameters – key-value pairs of local and global tokens used for dynamic data substitution
Using Tokens

For the Severity field and all fields in the Custom Fields section, you can use tokens from the search task. See Using Tokens.

In the Fields from Search Results section, you must specify the fields returned by the search query and set their value to none. This will preserve the field names from the key input when viewing the incident.

Index Events

Description:

  • Index name - index name
  • Update the document - if the parameter is enabled, the document is updated every time a request is executed, otherwise a new one is created
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

JDBC

Description:

  • User ID - username to connect to a database
  • Connection ID - database connection parameters
  • Table name - a database table to record the results of a search query
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

Log Event

No customization options.

MITRE ATT&CK®

The result of the Action is written to the .smos_mitre-* index. The data in the index can be used to create incidents.

Description:

  • Name - action name
  • Rule - name of the correlation rule for which this Action is configured
  • Layer - selecting the created layer in MITRE ATT&CK®
  • Technique - list of MITRE ATT&CK® techniques that are categorized for this incident
  • Severity - severity events (low, medium, high)
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Additional Fields - creating additional key-value fields in the incident card

MITRE ATT&CK® Risk Scoring

The result of the Action is written to the .saf_risk-* index. Allows you to assign a risk score, for example, to a category of users or hosts for performing controlled actions. The data in the index can be used to create incidents.

Description:

  • Name - action name
  • Risk category - by what entity the calculation is made (system and/or user)
  • Risk score - number of risk score per operation
  • Fidelity - "weight" of the risk score. Accepts a value from 0 to 1
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Additional fields - creating additional key-value fields in the incident card

Run Job Action

Description:

  • Select Action - selecting the name of an existing job in Job Scheduler
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

Script

The script must be located on the server (with SAF Remote Execution running), which is specified in the settings of the Job Scheduler component. Allows you to run shell and python scripts.

Description:

  • Path to the script - absolute path to the executable file on the server that needs to be run
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

Webhook

Can be used to write search task results to an external system using HTTP requests.

Description:

  • Protocol - selecting the http/https protocol
  • Host - address of the server getting requests
  • Port - port of the server getting requests
  • Request Action - type of request to the server (GET, POST, PUT, DELETE)
  • Request - the path to the resource from the address bar after the port. For example, path/to/source in the string https://example.source:443/path/to/source
    • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Params - used to pass parameters in the address bar. Specified as a key-value pair. Example: parameters ?param1=value1&param2=value2 in this string: https://example.source:443/path/to/source?param1=value1&param2=value2
  • Authorization - parameters for authorization on the server getting the request
  • Headers - can pass the headers to the receiving server as a key-value pair. For example, you can pass headers: User-Agent, Cookie, Authorization
  • Body - body of the request