Rule Actions Reference
The following table contains rule actions that are available if you right-click a trigger on a rule’s Actions tab and select Add.
Note: Trend actions for active lists are similar to the add to active list rule action described here. Unlike rules, however, add to active list is the only action available for trends, and the settings are not as fine-grained as for rules. For example, thresholds, number of events, time units, and so on do not apply to trend actions. See Trend Actions (Add to Active List) for related information.
Action |
Expanded Menu Option |
Description |
---|---|---|
|
Fill in a data field value for correlation events generated by the rule using one of these methods:
If the correlation event already has a value for the selected data field, that value is overridden with this rule action. Notes:
|
|
Send Notification |
|
Send e-mail or cell phone messages to the ESM users in the notification group when rules are triggered. Specify a notification group in the Destination Group drop-down menu, then enter the notification text in the Message box.
|
Execute Command |
|
Execute a command when the rule triggers. Select an operating system platform from the drop-down menu.
|
|
Execute a SmartConnector command applicable to the device reporting the events. Select the SmartConnector to execute the command. After you select a connector, the command field is populated with the commands available for that connector. Only certain SmartConnectors can process commands beyond the basic set that all SmartConnectors support (start, stop, pause, continue, and terminate). This is similar to Sending Control Commands to SmartConnectors. |
|
Export to External System |
|
Send the rule and the triggering events to an external system that is integrated with ArcSight. The export file in XML format is stored in the ArcSight Manager's |
Case |
|
When the rule is triggered, the correlation event is added to the case. Tip: A suggested approach to creating and updating cases based on triggered rules is to:
|
Active List |
Add the associated events to an existing active list that you select. |
|
Remove from Active List |
Remove the associated events from an existing active list that you select. |
|
Notes:
|
||
Session List |
Add to Session List |
Add the associated events to an existing session list that you select. |
Terminate Session List |
Caution: If your session list has a field of type Date, and that field is mapped to |
|
Notes:
|
||
Asset |
Add Asset Category To Asset |
Add the asset category to the associated asset. This supports the automated discovery and categorization of assets (web servers, mail servers, firewalls, and so forth) based on the type of events each asset is sending. Rules can be constructed to listen for certain types of events, and then categorize the associated asset appropriately. You also set up a condition based on which to remove the asset category from the asset , described next. |
Remove Asset Category From Asset |
Remove the asset category from the associated asset. This supports automated categorization (or de-categorization) of assets along with the rule action to add an asset category (described previously) to this asset. |
Note: Duplicate rule actions after a crash recovery:
If you stop ESM, it takes a checkpoint of the rules engine so that it knows what actions have been performed and where it stopped. If ESM crashes in such a way that it cannot take a checkpoint (during a power failure, for example), it returns to the last checkpoint when ESM restarts, and replays events from there. Any actions that occurred between that checkpoint and the ESM crash are therefore repeated. Repeated actions that generate audit events generate duplicate audit events.
You should investigate repeated actions that do not duplicate well. For example, if an action adds an item to an Active List, that item’s counter will be incremented. If the action runs a command, it will run the command again, and so on.