Actions are used to execute some type of action in Sentinel, either manually or automatically. An action plug-in framework was introduced in Sentinel™ 6.1. This framework consolidates several different ways of executing actions in Sentinel 6.0. The same Action framework is now used to execute actions in all of the following contexts:
When a deployed correlation rule fires (automatic)
When a user chooses the action from within an incident
When a user chooses a right-click menu option using an action in an Active View™ or other event table
The plug-in framework has several advantages over the method for using JavaScript actions in previous versions of Sentinel.
There is no need to place the JavaScript file in a particular directory. The plug-in is placed in a central repository.
There is no need to manually distribute the file to multiple machines in a distributed environment. The plug-ins are downloaded as needed.
Importing the updated plug-in from one Sentinel Control Center machine is sufficient to update the plug-in everywhere it is used.
One or more configured action instances can be created from an action plug-in by using different parameters.
An action can be executed on its own, or it can make use of an Integrator instance, configured from an Integrator plug-in. Integrators provide the ability to connect to an external system, such as an LDAP, SMTP, or SOAP server, to execute an action.