17.1 Overview

Sentinel provides a list of pre-configured Actions that should be useful in most standard situations. You can use the default Actions and reconfigure them as necessary, or you can add new Actions.

NOTE:Only users in the administrator role can configure and manage Actions.

An Action can be executed on its own, or it can make use of an Integrator instance configured from an Integrator plug-in. Integrators provide the ability to connect to an external system, such as an LDAP, SMTP, or SOAP server, to execute an action.

The general process for using an Action to perform remediation is shown in the following figure:

Figure 17-1 Actions Workflow

Determine the best type of Action plug-in that should be used to perform your desired action.
Configure the appropriate Action plug-in with appropriate parameter settings for your environment.

For more information, see Adding an Action.
If the Action requires an Integrator, configure the appropriate Integrator.

To determine the required Integrators for an Action, see the documentation that is available with the Action on the Sentinel Plug-ins Web site. Alternatively, you can view a specific Action’s documentation by clicking the Help button while configuring that Action in the Action Manager.
For information on configuring the Integrator, see Managing Integrators.
Execute actions manually or associate actions to rules for the action to fire automatically when the rule fires:
- For information on executing an action in an Incident, see Executing Incident Actions in the Sentinel User Guide.
- For information on executing an action on events that meet the event routing rule criteria, see Creating an Event Routing Rule.
- For information on executing actions on events in Search results, see Assigning Actions to Events in the Sentinel User Guide.
- For information on associating an action to a Correlation rule, see Associating Actions to a Rule in the Sentinel User Guide.