Executing a Command

Figure 5 Executing a Command

NOTE:This type of action can only be used in Correlation deployments

This action type can be used to execute a command when a correlated event triggers. You can set the following parameters:

Command: Arguments: This can include constants or references to an event attribute in the last event, the one that caused the rule to fire.

References to event attributes must use the values in the meta tag column enclosed in % or $ symbols. For example, %InitIP% represents the initiator IP address value from the Correlated event, except in the Configure Correlated Event action. Because the Correlated event was not created before the action is executed, the InitIP value comes from the trigger event. $InitIP$ always represents the value from the current event. Both %all% and $all$ are the same, and they pass information (a limited set of attributes from both the trigger event and the Correlated event along with some Correlation rule data) to a Correlation action. They are provided primarily for backward compatibility with existing Correlation actions. They cannot be used in JavaScript actions or in the Configure Correlated Event action. For more information on meta tags, see Sentinel 6.1 Rapid Deployment Event Fields in the Sentinel 6.1 Rapid Deployment Reference Guide.

Command actions can be created to perform a non-interactive action, such as modifying a firewall policy, entering a record in a database, or deactivating a user account. For an action that generates output, such as a command to run a vulnerability scan, the command should refer to a script that runs the command and then writes the output to a file.

NOTE:By default, the action output is stored to the working directory, <install_directory>/data. The action output can be written to a different directory by specifying a different storage location for the output file in the script

For trademark and copyright information, see Legal Notices.