An Action is a configured instance of an Action plug-in.There can be one or more instances of an Action plug-in with different parameters or settings. A few Actions are available by default. You can also add additional actions as required.
Launch the Sentinel Control Center.
Launch the Action Manager:
If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Action Manager or click the .icon in the toolbar.
If the Configuration menu is enabled, click the Configuration menu > Action Manager or click the .icon in the toolbar.
Click .
To create an Action, select an existing Action plug-in from the available action types in the Action drop-down. Alternatively, you can import another plug-in by clicking the Add Action Plug-in button.
The parameters for the selected plug-in are displayed. For Actions provided by Sentinel, more information about configuration and the available parameters are available in the help file for the Action.
(Conditional) If the selected Action plug-in requires an Integrator, the Add Integrator button is displayed to allow you to add the Integrator for this action. Click Add Integrator and select the appropriate Integrator for the action.
Specify the attribute values for the type of action selected.
You can reference an event field value by specifying the event field name enclosed in % or $ appropriately. For example, in the Send Email action, if you want to reference the TenantName event field from the correlated event in the subject attribute, you can specify the parameter as %TenantName%. If you want to reference an event field value from the last event that triggered the correlated event, you can specify the parameter as $TenantName$.
Similarly, you can reference the correlation rule metadata by specifying the parameters %RuleName%, %RuleDescription%, %RuleId%, or %RuleLg% in actions or in custom correlation events.
Click Save.
Execute actions manually or associate actions to Correlation rules for the action to fire automatically when the rule fires:
For information on executing an action in an Incident, see Executing Incident Actions
in the Sentinel User Guide.
For information on executing an action on events that meet the event routing rule criteria, see Creating an Event Routing Rule.
For information on associating an action to a Correlation rule, see Associating Actions to a Rule
in the Sentinel User Guide.
Each individual Action plug-in defines where it can be used and what data it requires as input. Every Action plug-in has certain performance characteristics relating to how quickly it can execute, reset, and be ready for the next event. When an Action instance is created, it inherits the characteristics of the selected Action plug-in. For better performance, not all Actions are available for all the different Action modes in Sentinel. For example, Actions based on the Send E-mail Action plug-in do not appear in Event Routing rules because you might not want to receive messages with a large event stream every time the rule fires.
For information on where an Action plug-in can be used, refer to the Action Modes section in the specific Action plug-in document.
You can debug the Action files from the Sentinel Control Center by using the Action debugging option. The debugger is a local debugger that executes scripts on which the Sentinel Control Center is running. The debugger instantiates a debug session from the Sentinel server machine.
Only actions that are executed in an Incident can be debugged. Therefore, a prerequisite to debug an action is to execute that action in an Incident. For more information, see Executing Incident Actions
in the Sentinel User Guide.
The Action debugger has the following controls:
Table 17-1 Debugger Controls
Action |
Description |
---|---|
Run |
Runs the script until the next breakpoint is encountered. |
Step In |
Steps into a function, one line at a time. |
Pause |
Pauses the running script. |
Stop |
Stops the script. |
Step Over |
Steps over a function to the next line in the script. |
Step Out |
Steps out of the function to the next line in the script. |
To debug an action:
Execute an action in an Incident.
For more information, see Executing Incident Actions
in the Sentinel User Guide.
In the Sentinel Control Center toolbar, click the Action Debugging icon.
Click to start the debugging process. The debugger panel displays the source code and positions the cursor on the first line of the script.
You can debug the script as many times as needed. To debug the script by using a different incident, close the Debug JavaScript Correlation Action window and repeat the debugging process.