Rule Actions Reference

The following table contains rule actions that are available if you right-click a trigger on a rule’s Actions tab and select Add.

Note: Trend actions for active lists are similar to the add to active list rule action described here. Unlike rules, however, add to active list is the only action available for trends, and the settings are not as fine-grained as for rules. For example, thresholds, number of events, time units, and so on do not apply to trend actions. See Trend Actions (Add to Active List) for related information.

Rule Actions
Action	Expanded Menu Option	Description
Set Event Field		Fill in a data field value for correlation events generated by the rule using one of these methods: Select from the drop-down list of compatible data fields for the value to place in the event field. This works for all field types. Use an expression in the format `@``<eventfieldname>` to set a string type field such as Device Custom String1 with the value of a unique aggregation field. For example, if you are doing unique aggregation on source address, your value for Device Custom String 1 = @sourceAddress. Setting event field values for unique aggregation fields are only supported on these rule triggers: on first threshold, on every threshold, on subsequent threshold, on time unit, and on time window expiration. See procedures in Setting or Changing Rule Thresholds for a description of unique aggregation fields. If the correlation event already has a value for the selected data field, that value is overridden with this rule action. Notes: `Set Event Field` is the only available action for pre-persistence rules. If a pre-persistence rule calls the Set Event Field action, the modification is done to the incoming base event which has not yet persisted, instead of on the rule’s correlation event. When you edit this rule action and select new fields, these fields are added to the existing list of fields. If you want to replace the existing fields with your new fields, click the Override Fields checkbox and save the rule. This rule action takes precedence when you are setting an event's Stage attribute. If you want to override this specific behavior, see Stage in Annotating an Event for the instructions to set the override property.
Send Notification		Send e-mail or cell phone messages to the ESM users in the notification group when rules are triggered. Specify a notification group in the Destination Group drop-down menu, then enter the notification text in the Message box. Click Ack Required if you want to begin an escalation chain. In this case those notified must acknowledge that they received the notification. If you do not select Ack Required, the message is for information purposes only and is displayed on the Notifications manager’s Informational tab. For more information, see Managing Notifications.
Execute Command		Execute a command when the rule triggers. Select an operating system platform from the drop-down menu. Enter the command string in the Command field. Enter any required parameters in the Parameters field. Otherwise the command cannot execute without user intervention. Caution: If you us parameters of Date/Time with the Execute Command, you must enclose the variable name in double quotes (“ ”). For example, to use `$endTime` as a parameter to a command to be executed on a rule action, enter the parameter as “$endTime”. Select the Action Type: Automatically run on manager: Execute the command at the ArcSight Manager without further intervention. Run on Manager with Console confirmation: Require an operator at a Console to approve the command before it executes. Run on connector(s): Send the command to the connectors that report the events.
Execute Connector Command		Execute a SmartConnector command applicable to the device reporting the events. Select the SmartConnector to execute the command. After you select a connector, the command field is populated with the commands available for that connector. Only certain SmartConnectors can process commands beyond the basic set that all SmartConnectors support (start, stop, pause, continue, and terminate). This is similar to Sending Control Commands to SmartConnectors.
Export to External System		Send the rule and the triggering events to an external system that is integrated with ArcSight. The export file in XML format is stored in the ArcSight Manager's `archive/exports` directory.
Case	Create New Case Add to Existing Case Create Ticket in ServiceNow® ITSM	Create a case when the rule is triggered. See Using a Rule to Create a Case for detailed steps. The rule is designated as the case creator. Update an existing case. See Using a Rule to Add to an Existing Case for detailed steps. If you configure this rule action and the specified case does not yet exist, this update action will create the case. Create a ticket in ServiceNow. See Using a Rule to Create a Ticket in ServiceNow® ITSM for detailed steps. This rule action assumes proper configuration of both the external ticketing system and the global credentials. When the rule is triggered, the correlation event is added to the case. Tip: A suggested approach to creating and updating cases based on triggered rules is to: Configure an action to create a case on first event or some other threshold, set the new case’s attributes, and then Add to that same case when subsequent events or thresholds are triggered for that same rule.
Active List	Add to Active List	Add the associated events to an existing active list that you select.
	Remove from Active List	Remove the associated events from an existing active list that you select.
	Notes: Add To Active List and Remove From Active List either take no arguments (if acting on an event-bound active list) or a list of event fields (if not dealing with an event-bound active list). The values from the specified fields (those specified either by an event-bound active list or by the argument list) form an item that is added to, or removed from, the active list. Removing an item that is not present does not cause an exception. Adding an item that is already present simply increments that item's counter. You can see this counter in the Active Lists Editor. (See Active Lists and List Authoring for more information.) When you are specifying fields to be added to or removed from the active list, you have the option to select local variables from the Fields tab or global variables from the Global Variables tab. When you add a rule action to an active list, you can choose to disable audit events for the rule action. Select the Disable Audit Event check box if you want to disable audit events for the rule action. You may want to disable audit events for a rule action if you see many audit event errors for rules that cannot be removed from the active list because they have been evicted or have expired before they were removed. Note: If you disable audit events for a rule action, it will make troubleshooting active lists more difficult. For lightweight rules, only the Active List and Session List actions are enabled. See the Caution box in Specifying Rule Thresholds and Aggregation about aggregation settings combined with rule actions that add entries to multi-mapped active lists and overlapping session lists. See also Use of velocity expressions in rule actions involving lists .
Session List	Add to Session List	Add the associated events to an existing session list that you select.
	Terminate Session List	Add the events to the session list when a session terminates. Terminate the oldest session. If checked, the oldest session is added to the “terminate” session list. Oldest time is based on the session's Start Time. Caution: If your session list has a field of type Date, and that field is mapped to `Manager receipt time` or `End time`, do not use this rule action to terminate a session list entry. Instead, use either the Entry Expiration Time or TTL Days attribute for your list. See Creating or Editing a Session List for complete details about session list attributes. You can also right-click the entry on a session list viewer and select Terminate Session Entry.
	Notes: When you are specifying fields to be added to the session list, you have the option to select local variables from the Fields tab or global variables from the Global Variables tab. For lightweight rules, only the Active List and Session List actions are enabled. However, lightweight rules cannot remove entries from session lists. See the Caution box in Specifying Rule Thresholds and Aggregation about aggregation settings combined with rule actions that add entries to multi-mapped active lists and overlapping session lists. See also Use of velocity expressions in rule actions involving lists.
Asset	Add Asset Category To Asset	Add the asset category to the associated asset. This supports the automated discovery and categorization of assets (web servers, mail servers, firewalls, and so forth) based on the type of events each asset is sending. Rules can be constructed to listen for certain types of events, and then categorize the associated asset appropriately. You also set up a condition based on which to remove the asset category from the asset , described next.
Asset	Remove Asset Category From Asset	Remove the asset category from the associated asset. This supports automated categorization (or de-categorization) of assets along with the rule action to add an asset category (described previously) to this asset.

Note: Duplicate rule actions after a crash recovery:

If you stop ESM, it takes a checkpoint of the rules engine so that it knows what actions have been performed and where it stopped. If ESM crashes in such a way that it cannot take a checkpoint (during a power failure, for example), it returns to the last checkpoint when ESM restarts, and replays events from there. Any actions that occurred between that checkpoint and the ESM crash are therefore repeated. Repeated actions that generate audit events generate duplicate audit events.

You should investigate repeated actions that do not duplicate well. For example, if an action adds an item to an Active List, that item’s counter will be incremented. If the action runs a command, it will run the command again, and so on.