Skip to main content
Version: 4.0

Description of Active Actions in SM

As a result of executing a search query, active actions can be configured.

To view existing active actions in Smart Monitor, in the interface for creating and configuring a search job, select the Active Actions tab and click the Add button.

List of available Actions:

  • Email Action - Sends a message to the specified address. For more information, see here
  • Incident Action - Creating an incident in the Incident Manager module. For more information, see here
  • Index Events - Writes the result of a query to the index. For more information, see here
  • JDBC - Writes query results to external databases
  • Log Event - Writes the results of a search query to the job_scheduler.log file of the Job Scheduler component
  • MITRE ATT&CK® - Tags events as triggers of techniques and subtechniques of the MITRE ATT&CK® database and writes events to the index
  • MITRE ATT&CK® - Fixes the risk score in the trigger
  • Risk Score - Allows recording a risk score
  • Run Job Action - Running a job from the Job Scheduler
  • Script - Run an existing script on the server
  • Webhook - Creating an HTTP request to a remote server

Next, the existing active actions are reviewed, along with a description of the configurable settings.

Email Action

Email action

Description:

  • To - recipient's address
  • Subject - email subject
  • Sign - signature at the end of the email
  • Body - message to be sent; it is possible to switch to HTML markup
  • Trigger "Run Once" - runs the active action for all query results collectively; when this parameter is disabled, the active action will be applied to each individual query result
  • Enable time - adds the server time at the moment of sending
  • Enable table - adds a table with search results to the message body
  • Send file - a CSV file with the search query results will be attached to the email
  • Merge - merges the search query execution results into a single message

Incident Action

Incident action

Description:

  • Incident title - a short title used to identify the incident in the general list
  • Severity - the importance level of the incident
  • Workflow - the associated workflow process
  • Description - a detailed explanation of the incident; the editor supports
  • Drilldown Type - the format of additional information:
  • Drilldown Text - search queries or URLs providing supplemental data. Allow time boundary configuration for search-type drill-downs. Unspecified boundaries default to the incident's original search job timeframe
  • Trigger – configuration for when and how the active action is triggered
  • Additional Fields – key-value pairs extracted from the search job results
  • Inventory Linking – configuration for linking the incident to an Inventory object and selecting the relevant fields
  • Local parameters – key-value pairs of local and global tokens used for dynamic data substitution

Index Events

Index events action

Description:

  • Index name - index name
  • Update the document - if the parameter is enabled, the document is updated every time a request is executed, otherwise a new one is created
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

JDBC

JDBC action

Description:

  • User ID - username to connect to a database
  • Connection ID - database connection parameters
  • Table name - a database table to record the results of a search query
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

Log Event

No customization options.

MITRE ATT&CK®

The result of the Action is written to the .smos_mitre-* index. The data in the index can be used to create incidents.

Mitre Attack action

Description:

  • Name - action name
  • Rule - name of the correlation rule for which this Action is configured
  • Layer - selecting the created layer in MITRE ATT&CK®
  • Technique - list of MITRE ATT&CK® techniques that are categorized for this incident
  • Severity - severity events (low, medium, high)
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Additional Fields - creating additional key-value fields in the incident card

Risk Scoring

The result of the Action is written to the .smos_risk-* index. Allows you to assign a risk score, for example, to a category of users or hosts for performing controlled actions. The data in the index can be used to create incidents.

Risk action

Description:

  • Name - action name
  • Risk category - by what entity the calculation is made (system and/or user)
  • Risk score - number of risk score per operation
  • Fidelity - weight of the risk score. Accepts a value from 0 to 1
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Additional fields - creating additional key-value fields in the incident card

Run Job Action

Run Job Action

Description:

  • Select Action - selecting the name of an existing job in Job Scheduler
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

Script

The script must be located on the server (with Smart Monitor Remote Execution running), which is specified in the settings of the Job Scheduler component. Allows you to run shell and python scripts.

Script action

Description:

  • Path to the script - absolute path to the executable file on the server that needs to be run
  • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

Webhook

Can be used to write search job results to an external system using HTTP requests.

Webhook

Description:

  • Protocol - selecting the http/https protocol
  • Host - address of the server getting requests
  • Port - port of the server getting requests
  • Request Action - type of request to the server (GET, POST, PUT, DELETE)
  • Request - the path to the resource from the address bar after the port. For example, path/to/source in the string https://example.source:443/path/to/source
    • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
  • Params - used to pass parameters in the address bar. Specified as a key-value pair. Example: parameters ?param1=value1&param2=value2 in this string: https://example.source:443/path/to/source?param1=value1&param2=value2
  • Authorization - parameters for authorization on the server getting the request
  • Headers - can pass the headers to the receiving server as a key-value pair. For example, you can pass headers: User-Agent, Cookie, Authorization
  • Body - body of the request