Specifying Actions

The Actions tab enables you to select a trigger, then specify the action to take when that trigger occurs.

To specify an action:

  1. Open the profile in the profile editor (double click the profile in the Navigator panel).

  2. In the Inspect/Edit panel, click the Actions tab.

  3. Before you add an action, specify when to take the action (the trigger). Select one of the following trigger options:

    Trigger Option

    Description

    On Pattern Discovered

    This specifies that the action be taken the first time a new pattern appears. Choose this option for assigning new patterns to an analyst to investigate.

    On Pattern
    Re-discovered

    This specifies that the action will be taken if a new pattern is repeated. Choose this option for ongoing operations.

  4. Click Add and select one of the following options:

    Threat Detector Actions

    Action Option

    Description

    Annotate Pattern

    In the dialog box, enter the following values and click OK:

    • Select a Stage from the drop-down menu.

    • Assign a user from the drop-down menu.

    Set Event Field

    In the dialog box, enter the following values and click OK:

    • Select a Field Set (or domain field set you created) from the drop-down menu.

    • In the event fields grid, set values for the event fields you are interested in.

    Send Notification

    Specify a notification group in the Notification Group drop-down menu.

    • Click Ack Required if those notified should acknowledge that they received notification.

    • Write the message to send in the Message field.

    Execute Command

    In the dialog box, enter the following values and click OK:

    • Select an operating system platform from the drop-down menu.

    • Enter the command string. Use correct syntax; the system does not validate command strings.

    • Enter required parameters. For example, the archive tool needs the manager name, administrator name, and password. Specifying them lets the system execute the command without user intervention.

    • In the Action Type drop-down menu, select one of the following:

      Automatically run on manager: Initiates the command with no user intervention.

      Run on Manager with Console confirmation: Displays a confirmation dialog box in the ArcSight Console for the designated user before the command is initiated.

      Run on connector(s): Sends the command to the connectors that report the events.

    Execute Connector Command

    Specify a command to be executed at the SmartConnector reporting the events, such as pause or stop/start event flow. Enter the following values and click OK:

    • In the Connector drop-down menu, select the SmartConnector to execute the command. When you select an connector, the command field is populated with the commands available for that connector.

    • In the Command field, select the command for the connector to execute. The command may contain required parameters.

    Export to External System

    You can export the pattern to an external tracking system, if you configured it to operate with ESM. Click OK.

    Active List

    You can add (or remove) a pattern to an active list, where its event details are available to other correlation tools for reference.

    • To add a pattern to an active list, select Add to Active List. In the dialog box, select an active list from the drop-down menu and click OK.

    • To remove a pattern from an active list, select Remove from Active List. In the dialog box, select an active list from the drop-down menu and click OK.

    • You cannot add fields to an Active List f they are not present in the Events section of the Profile.

    • You cannot add any date/time-based fields to an Active List since data/time fields cannot be included in the Events section of the profile.

    Session List

    You can add a pattern to a session list, or terminate a session list based on a pattern, where its event details are available to other correlation tools for reference.

    • To add a pattern to a session list, select Add to Session List. In the dialog box, select a session list from the drop-down menu and click OK.

    • To terminate a session list, select Terminate Session List. In the dialog box, select a session list from the drop-down menu and click OK.

    • You cannot add fields to an Session List if they are not present in the Events section of the Profile.

    • You cannot add any date/time-based fields to an Session List (except EndTime) since data/time fields cannot be included in the Events section of the profile. The End time displayed in the Add to Session List action is the time the entries are added to the session list.

  5. The action summary will be displayed in the Actions tab. To remove lines that are not used, click Hide Empty Triggers.