Trend Actions (Add to Active List)

Trend actions give you the option to send specified columns (fields) in trend results to Active Lists (see List Authoring). You do this by defining an Add to Active List trend action. On the Actions tab for a trend, you can select to send data from one or more columns in the trend results to a specified active list.

Tip: Trend actions for active lists are similar to the add to active list rule action described in Rule Actions Reference. Unlike rules, however, add to active list is the only action available for trends, and the settings are not as fine-grained as for rules; for example, thresholds, number of events, time units, and so on do not apply to trend actions.

How Trend Actions are Useful (Summary Views and Rules)

The Add to Active List trend action provides a mechanism to get information from trends outside of, and in addition to, reports. Active lists updated by trends support summary views of information from multiple trends.

You can build a single active list that gets updates from multiple trends (each trend updating different columns in the active list). Also, a single active list can receive updates and show information from trends as well as from other sources (for example, rules). Alternatively, you can build multiple active lists that get updates from a single trend.

Perhaps most importantly, the ability to populate active lists with trend data makes trend results readily available for use in rules, filters, active channels, and so forth.

Example Use Cases

The following example use cases show how to leverage trend results in active lists:

Taking Action on Event-Based Trends. An analyst wants to monitor the logins per hour by users based on their typical hourly login patterns. Flag anything that is above a threshold or more than n times a user’s previous average.

The analyst sets up a trend to update the information in a trend table based on aggregation of per-user login events. The trend would have an action that updates an active list with the most recent results. Then, the analyst configures a rule to update another active list when a user logs on and another rule to compare the current login count against what is normal for that user. Any gross discrepancy can be used to trigger an alarm about a possible threat.
Taking Action on Asset-Based Trends. An analyst wants to monitor assets by how vulnerable they are, and watch for “unusual activity” on especially vulnerable assets.

The analyst sets up a trend to check vulnerability counts on assets and log the top n most vulnerable assets on a daily basis. The active list would have an action to update an active list. Incoming events on assets would trigger rules that would check this active list against the particular device and, if present, trigger extra processing.

Plan and Define Active Lists with Fields Mapped to Trend

As a first step in setting up trend actions, determine which active lists the trend should populate and with what data. You might have existing active lists to add trend data to, or you could create new lists specifically for some trend results. (See Example: Populating Active Lists with Trend Results for an example of designing an active list based on the trend fields you want to monitor.)

Working with Trend Actions

Use the trend Actions tab to configure actions on a new or existing trend.

Requirement: An fields-based active list to which the trend adds entries

Where: Navigator > Resources > Reports > Trends tab

To define a trend action:

Right-click a trend and select Edit Trend.
In the Trend Editor, click the Actions tab.
Select the action On Trend Run, right-click, and select Add to Active List.

Note: You can only use a fields-based active list in a trend action (not event-based lists). For more information on types of active lists, see Creating or Editing an Active List, especially the attribute Data: Event‑based, Fields‑based.
Select the active list to be updated by the trend:
On the Add to Active List dialog, select fields from the trend on the right side to map to active list fields on the left.

What you are doing in this step is mapping trend column names to active list column names. All the “key” columns required by the active list must have trend columns mapped to them so that the active list entry (row) is correctly updated by the trend. However, not all of the active list value columns need to have trend columns mapped. Not specifying all the key columns is an error.
Click OK to add the action.

The action shows on the actions tab.

Note that you could add more actions here (by selecting the On Trend Run and clicking Add), edit this action, or remove it.

You can add multiple actions to a single trend (that is, configure a single trend to update particular columns in multiple active lists with trend results).
Click OK.

To edit a trend action:

Double-click the trend you want to edit.
Click the trend Actions tab.
Select the action you want to edit and click Edit.
On the Add to Active List dialog, make changes to the field mappings as needed and click OK.
Click OK.

To remove a trend action:

Double-click to the trend you want to edit.
Click the Trend Actions tab.
Select the action you want to remove and click Remove.
Click OK.