Actions are used to execute some type of action in Sentinel, either manually or automatically. An Action plugin framework was introduced in Sentinel 6.1. This framework consolidates several disparate ways of executing actions in Sentinel 6.0. The same Action framework is now used to execute actions in all of the following contexts:
When a deployed correlation rule fires (automatic)
When a user chooses the Action from within an Incident
When a user chooses a right-click menu option using an Action in an Active View or other event table
The plugin framework has several advantages over the method for using JavaScript actions in previous versions of Sentinel. Using the plugin framework:
There is no need to place the JavaScript file in a particular directory. The plugin is placed in a central repository.
There is no need to manually distribute the file to multiple machines in a distributed environment. The plugins are downloaded as needed.
Importing the updated plugin from one Sentinel Control Center machine is sufficient to update the plugin everywhere it is used.
One or more configured Action instances can be created from an Action plugin using different parameters.
An Action can be executed on its own, or it can make use of an Integrator instance, configured from an Integrator plugin. Integrators provide the ability to connect to an external system, such as an LDAP, SMTP, or SOAP server, to execute an action.