An Action is a configured instance of an Action plug-in.There can be one or more instances of an Action plug-in with different parameters or settings. A few Actions are available by default. You can also add additional actions as required.
Launch the Sentinel Control Center.
For more information, see Section 1.2.1, Accessing the Sentinel Control Center.
Launch the Action Manager:
If the
menu is not enabled, click the tab, then click the menu > or click the .icon in the toolbar.If the
menu is enabled, click the menu > or click the .icon in the toolbar.Click .
To create an Action, select an existing Action plug-in from the available action types in the
drop-down. Alternatively, you can import another plug-in by clicking the button.The parameters for the selected plug-in are displayed. For Actions provided by NetIQ, more information about configuration and the available parameters are available in the help file for the Action.
(Conditional) If the selected Action plug-in requires an Integrator, the
button is displayed to allow you to add the Integrator for this action. Click and select the appropriate Integrator for the action.Specify the attribute values for the type of action selected.
Click
.Execute actions manually or associate actions to Correlation rules for the action to fire automatically when the rule fires:
For information on executing an action in an Incident, see Executing Incident Actions
in the NetIQ Sentinel 7.0.1 User Guide.
For information on executing an action on events that meet the event routing rule criteria, see Section 8.1, Creating an Event Routing Rule.
For information on associating an action to a Correlation rule, see Associating Actions to a Rule
in the NetIQ Sentinel 7.0.1 User Guide.
To execute actions on events in Active Views or Search results, you must first add the action in the Event Actions Configuration. For more information, see Assigning Actions to Events
in the NetIQ Sentinel 7.0.1 User Guide.
For information on executing an action on events in Active Views, see Executing Actions on Events
in the NetIQ Sentinel 7.0.1 User Guide.
For information on executing actions on events in search results, see Executing Actions
in the NetIQ Sentinel 7.0.1 User Guide.
Each individual Action plug-in defines where it can be used and what data it requires as input. Every Action plug-in has certain performance characteristics relating to how quickly it can execute, reset, and be ready for the next event. When an Action instance is created, it inherits the characteristics of the selected Action plug-in. For better performance, not all Actions are available for all the different Action modes in Sentinel. For example, Actions based on the Send E-mail Action plug-in do not appear in Event Routing rules because you might not want to receive messages with a large event stream every time the rule fires.
For information on where an Action plug-in can be used, refer to the Action Modes section in the specific Action plug-in document.
You can debug the Action files from the Sentinel Control Center by using the Action debugging option. The debugger is a local debugger that executes scripts on which the Sentinel Control Center is running. The debugger instantiates a debug session from the Sentinel server machine.
Only actions that are executed in an Incident can be debugged. Therefore, a prerequisite to debug an action is to execute that action in an Incident. For more information, see Executing Incident Actions
in the NetIQ Sentinel 7.0.1 User Guide.
The Action debugger has the following controls:
Table 9-1 Debugger Controls
Action |
Description |
---|---|
Run |
Runs the script until the next breakpoint is encountered. |
Step In |
Steps into a function, one line at a time. |
Pause |
Pauses the running script. |
Stop |
Stops the script. |
Step Over |
Steps over a function to the next line in the script. |
Step Out |
Steps out of the function to the next line in the script. |
To debug an action:
Execute an action in an Incident.
For more information, see Executing Incident Actions
in the NetIQ Sentinel 7.0.1 User Guide.
In the Sentinel Control Center toolbar, click the
icon.Click to start the debugging process. The debugger panel displays the source code and positions the cursor on the first line of the script.
You can debug the script as many times as needed. To debug the script by using a different incident, close the Debug JavaScript Correlation Action window and repeat the debugging process.
If you edit an action that is associated with a deployed correlation rule, the changes take effect the next time the correlation rule fires.
Launch the Sentinel Control Center.
For more information, see Section 1.2.1, Accessing the Sentinel Control Center.
Launch the Action Manager:
If the
menu is not enabled, click the tab, then click the menu > or click the icon in the toolbar.If the
menu is enabled, click the menu > or click the icon in the toolbar.Select the action you want to edit, then click
/Edit.Make the necessary changes, then click
.For information on the configuration settings, see the specific Action documentation by clicking the
button.You cannot delete an action if the action is associated to any of the following:
A deployed correlation rule
Event Actions configuration
Event routing rules
Launch the Sentinel Control Center.
For more information, see Section 1.2.1, Accessing the Sentinel Control Center.
Launch the Action Manager:
If the
menu is not enabled, click the tab, then click the menu > or click the .icon in the toolbar.If the
menu is enabled, click the menu > or click the .icon in the toolbar.Select the action instance you want to delete, then click
.Click
to confirm deletion.