Actions API

Active actions can be configured as a result of executing a search query. Active actions are created in the context of creating a task.

Sending an Email

Sends a message to the specified address. The name of the element in the array of active actions is email.

Name	Syntax	Description
to	<string>	Recipient's address.
recipient_group_id	<string>	Recipient group ID. (More details Recipient Groups).
smtp_id	<string>	SMTP settings ID (More details SMTP).
subject	<string>	Email subject.
body	<string>	Email body.
html	<bool>	Indicates whether the body is in html format.
sign	<string>	Email signature.
enable_time	<bool>	Adds the email sending time.
enable_table	<bool>	Adds a table with the search result to the email body.
send_file	<bool>	Adds a file with the search result to the email body.
file_name	<string>	Name of the file attached to the email.
file_type	<string>	File type. Can take values such as json, csv, xls.
is_once	<bool>	Determines whether the active action is run for the entire query result or for each result separately.

warning

If smtp_id is not specified in the Mail Action, the sender settings will be taken from the .sm_settings index.

warning

If the recipient_group_id parameter is not specified in the Mail Action, the recipient will be the user specified in the to parameter.

danger

If the email is not being sent, you need to check the write permissions for SMTP, Recipient Groups, and Recipient entries in the group. If any entry lacks the "all_access" role in read permissions, it needs to be added.

POST {index_name}/_update/{record_id}
{
  "doc": {
    "_permissions": {
      "read": {
        "roles": [
          "all_access"
        ],
        "users": []
      },
      "write": {
        "roles": [],
        "users": []
      },
      "owner": "admin"
    }
  }
}

:::

Incident Action

Creating an Incident in the Incident Manager Module

The name of the element in the array of active actions is incident.

Name	Syntax	Description
drilldown_type	<string>	Drill-down type. Accepts values link and search.
drilldown_context	<string>	Drill-down context.
incident_title	<string>	Incident title.
incident_description	<string>	Incident description.
incident_type	<string>	Incident type. Accepts values default, metric, scoring.
severity	<int>	Severity.
line	<string>	Line.
status	<string>	Status.
log	<string>	Log.
fields	<object>	Object where the key is the old name from the search result, and the value is the new name for the field from the search result.
custom_fields	<object>	Custom fields in key-value format.
custom_fields_s	<string>	Custom fields in key-value format but represented as a string.
workflow_id	<string>	Workflow ID.

Index Event Action

Allows writing the result of a query execution to an index. The name of the element in the array of active actions is index_events.

Name	Syntax	Description
index_name	<string>	Index where the search results are written.
update_doc	<bool>	Update the document with each query execution instead of creating a new one.
is_once	<bool>	Run the active action for the entire query result or for each result separately.

Writing to a Database

Allows writing the results of a query execution to external databases. The name of the element in the array of active actions is jdbc_output.

Name	Syntax	Description
user_id	<string>	Database user ID (More details JDBC User).
connection_id	<string>	Connection ID (More details Connection).
table_name	<string>	Table name.

Job Action

Executes a job. The name of the element in the array of active actions is job.

Name	Syntax	Description
running_job_id	<string>	Job ID.

info

Creating a job that contains a Job Action activating the current job will not be performed.

Logging Events

Writes the results of a search query to the job_scheduler.log file of the Job Scheduler component. The name of the element in the array of active actions is log_event.

No additional fields are present.

Metric Action

Calculates metrics in PSM. The name of the element in the array of active actions is metric.

Name	Syntax	Description
metric_name	<string>	Metric name.
object	<string>	Object by which the split is performed.
is_once	<bool>	Run the active action for the entire query result or for each result separately.

MITRE ATT&CK Action

Allows tagging events as triggers of techniques and sub-techniques from the MITRE ATT&CK® database, followed by writing the events to an index. The name of the element in the array of active actions is mitre.

Name	Syntax	Description
name	<string>	Name of the active action.
rule	<string>	Rule.
layers	<array>	List of layers. Each layer is represented as a string.
techniqueId	<array>	List of technique IDs. Each technique is represented as a string.
severity	<string>	Severity.
custom_fields	<object>	Custom fields in key-value format.

MITRE ATT&CK RISK Action

Allows recording the risk score in a trigger. The name of the element in the array of active actions is risk.

Name	Syntax	Description
name	<string>	Name of the active task.
index_fields	<object>	Index fields.

Index Fields

Name	Syntax	Description
fidelity	<string>	Accuracy. Can take values high(1), medium(0.75), low(0.5).
score	<string>	Score.

Additionally, the user can create their own fields within Index Fields.

Scoring Action

Allows recording the risk score in a trigger. The name of the element in the array of active actions is scoring.

Name	Syntax	Description
type_id	<string>	ID of the type from the .sm_scoring_types index.
type_name	<string>	Scoring type name.
index_name	<string>	Name of the index where the result of the Scoring Action will be saved.
type_fields	<object>	Fields related to the selected type.
uba_fields	<object>	Fields related to UBA.
custom_fields	<object>	Custom fields in key-value format.
local_params	<object>	Local parameters in key-value format.
score	<int>	Score.

UBA Fields

Name	Syntax	Description
object	<string>	UBA object.
type	<string>	ID of the UBA object type from the .sm_uba_types_configs index.
validity_period	<string>	Lifespan. For example, 5h.

Script Action

Allows running an existing script on the server. The name of the element in the array of active actions is script.

Name	Syntax	Description
context	<string>	Utility that executes the script and the absolute path to the script file.

info

Example context:

/app/opensearch/utils/python/bin/python3 /app/opensearch/utils/scripts/example.py

Webhook

Allows making HTTP requests to a remote server. The name of the element in the array of active actions is webhook.

Name	Syntax	Description
host	<string>	Recipient host.
port	<int>	Recipient port.
scheme	<string>	Transfer protocol. Can be http, https.
request_action	<string>	HTTP method. Accepts values POST, GET, PUT, and DELETE.
request	<string>	Path.
body_type	<string>	Body type. Can take values none, custom, result.
custom_body	<string>	Custom body. Sent if body_type = custom.
user	<string>	Username. Required for authorization.
password_id	<string>	Key in keystore with the prefix jobscheduler.webhook.password., which stores the password for Basic Auth.
headers	<object>	HTTP headers. Key - header name, value - header value.
params	<object>	Query parameters. Key - parameter name, value - header value.
trust_store_password	<string>	Key in keystore with the prefix jobscheduler.truststore.password., which stores the password required to retrieve certificate information from the file.
trust_store_path	<string>	Path to the .jks file that stores certificate information.
trust_store_verifier	<string>	Verification of the hostname in the URL matching the server name during SSL connection establishment.
trust_self_signed_strategy	<bool>	Trust for self-signed certificates.
trust_store_protocol	<string>	Connection protocol. For example, SSL or TLS.

warning

Currently, trust_store_verifier only accepts one value: default_hostname_verifier. If trust_store_verifier is not specified, the verification will not be performed.