This section provides information about developing Sentinel Actions using the Plug-in SDK. Actions provide a convenient, extensible way to do event post-processing and analysis or perform some activity based on event data. They are commonly used to enhance downstream analytics, to forward event data to remote systems, to generate alerts, and to automatically block access or revert changes when invalid operations are detected. Note that Actions are available for the Sentinel SIEM platforms (Sentinel 6.x, 7.x, and 6.1 Rapid Deployment) but are not available for the Sentinel Log Manager line except in pre-configured form.
Within Sentinel, there are actually several interrelated components that can get a little confusing, so let's cover them here:
- Sentinel also has pre-defined "native" Actions that aren't modifiable (although they can be configured) that are used for things like manipulating internal Sentinel objects such as Dynamic Lists.
- Either type of Action can be used to construct an Action instance, which is a deployed, configured Action. The Action Manager is used to build Action instances from Action plug-ins or native Actions.
- Action instances can then be displayed for use in various parts of the user interface, but note that not all Actions can be used in all locations (see below). For example, a set of Action instances will show up in the list that can be attached to correlation rules. In some cases the set of Actions instances that are available is automatically determined; in other cases some manual configuration is required.
- The set of Action instances that are displayed in the Event Actions accordion in the Sentinel web UI is manually configured via the Configuration > Event Action Configuration tool in the Sentinel Control Center. This tool allows for the definition of things like sub-menus within that dialog.
- Not all Action instances appear in all places since not all Actions work in all contexts — part of the
metadata for any given Action plug-in is to define where it can be used within Sentinel. The possible locations where Action
instances are displayed include (for Sentinel 7):
- The set of Actions that can be attached to Event Routing rules.
- The set of Actions listed in the Event Actions accordion.
- The set of Actions that can be attached to a correlation rule.
- The set of Actions that can be executed from an Incident.
- The set of Actions that can be executed as part of a Workflow transition.
- Note that in addition to Actions, additional internal operations are also available for selected events via the Event Operations menu that appears at the top of the search results in the web UI. These are slightly different than Actions.
- Also note that within Sentinel Control Center Active Views and similar UIs, the right-click context menu combines the contents of both the Event Operations menu and the Event Actions accordion from the web UI.
- Action plug-ins can be hooked up to Integrators to perform external work; this is somewhat analogous to Collectors' use of Connectors except generally the data flow is in the other direction. More on this later.
In general, this section will cover the development of Action plug-ins, and will not consider native Actions or the configuration and use of Action instances within the UI. More information about the native Actions, Action Manager, and other platform tools is available in the product documentation.
This SDK documentation is written in the form of a Action Development Guide which walks you through the process of creating and editing an Action plug-in. You can walk through the following topics in order, or jump to the topic that interests you.
Action Development Guide
- Getting Started
- Plug-in Contents
- Integrator Interaction
- Additional Information
If you have any questions about how to develop Actions or feedback about the SDK or this documentation, please post in the Forum.
- Back up to Develop to Sentinel