Correlation Action Types

The Correlation Action Manager allows you to configure the following types of actions:

Each action type has a set of configurable parameters.

One or more of these action types can be associated with a correlation rule when the correlation rule is deployed. If none of these action types are selected, a correlated event is created by default. When a default correlation event is triggered, it will have the following values:

Field Name

Default Values

Severity

4

Event Name

CorrelatedEvent

Message

<empty>

Resource

Correlation

SubResource

<Rule Name>

Configure Correlated Event

image\ebx_-454962210.gif

Instead of using the default values for a correlated event, an action may be created to populate the following fields in the correlated event:

 

Add to Dynamic List

image\ebx_2054634250.gif

This action type can be used to add a constant value or the value of an event attribute (such as Destination IP or Source User Name) to an existing Dynamic List. Any values that are repeated across multiple events are only be added to the dynamic list once. The various parameters available are:

If there are entries for both Element Values and Attribute Names, both are added to the Dynamic List when the rule fires. If the Element Value is filled in and the Element Type is Transient, the timestamp for the element in the Dynamic List are updated each time the rule fires.

Remove from Dynamic List

image\ebx_-275922528.gif

This action type can be used to add a constant value or the value of an event attribute (such as Destination IP or Source User Name) from an existing Dynamic List. The various parameters available are:

Execute a Command

image\ebx_-95170192.gif

This action type can be used to execute a command when a correlated event triggers. You can set the following parameters:

NOTE: For actions that execute a command or run a script, the command or script must reside in the $ESEC_HOME/config/exec or %ESEC_HOME\config\exec folder on the Correlation Engine. Symbolic links on UNIX are not supported.

NOTE: References to event attributes must use the values in the metatag column enclosed in % symbols. For example, Source IP must be %sip%. For more information on Meta-tags, see Meta-tags.

Command actions can be created to perform a non-interactive action, such as modifying a firewall policy, entering a record in a database, or deactivating a user account. For an action that generates output, such as a command to run a vulnerability scan, the command should refer to a script that runs the command and then writes the output to a file.

Create Incident

image\ebx_1343178832.gif

This action type create an incident whenever a correlated event fires. You can also initiate an iTRAC workflow process for remediating that incident. For more information about the values of the following parameters, see "Incidents Tab" section.

WARNING:

Do not enable the Create Incident action until the correlation rule has been tuned. If the rule fires frequently, the system may create more incidents or initiate more iTRAC workflow processes than desired.

Execute a Script

image\ebx_1238500992.gif

This action type can be used to execute a JavaScript file when a correlated event triggers. Use this interface to specify the name and location of the JavaScript file you want to execute.

The Value for the Script Name should be a relative path to the location of the JavaScript file. At run time this script is loaded from the path you have specified and the file is executed. If you do not specify a path, the system will search for the script in the default directory $ESEC_HOME/config/exec or %ESEC_HOME\config\exec.

To configure an Action:

  1. Click Correlation on the Menu Bar and select Correlation Action Manager. Alternatively, you can click Correlation Action Manager button on the Tool Bar.

  2. Click Add. The Configure Action window displays. Enter an Action Name in the Action Name field.

  3. Select Execute Script from Action dropdown list.

  4. Enter the name of the script file in the Value field.

  5. Click Save.