Actions are used to execute some type of action in Sentinel, either manually or automatically. An action plug-in framework was introduced in Sentinel 6.1. This framework consolidates several different ways of executing actions in Sentinel 6.0. The same Action framework is now used to execute actions in all of the following contexts:
When a deployed correlation rule fires (automatic)
When a user chooses the action from within an incident
When a user chooses a right-click menu option using an action in an Active View or other event table
The plug-in framework has several advantages over the method for using JavaScript actions in previous versions of Sentinel.
There is no need to place the JavaScript file in a particular directory. The plug-in is placed in a central repository.
There is no need to manually distribute the file to multiple machines in a distributed environment. The plug-ins are downloaded as needed.
Importing the updated plug-in from one Sentinel Control Center machine is sufficient to update the plug-in everywhere it is used.
One or more configured action instances can be created from an action plug-in by using different parameters.
An action can be executed on its own, or it can make use of an Integrator instance, configured from an Integrator plug-in. Integrators provide the ability to connect to an external system, such as an LDAP, SMTP, or SOAP server, to execute an action.