Description of Active Actions in SM

As a result of executing a search query, active actions can be configured.

To view existing active actions in Smart Monitor, in the interface for creating and configuring a search job, select the Active Actions tab and click the Add button.

List of available Actions:

• Sending E-mail - Sends a message to the specified address. For more information, see here
• Creating an incident - Creating an incident in the Incident Manager module. For more information, see here
• Event indexing - Writes the result of a query to the index. For more information, see here
• Recording in the DB - Writes query results to external databases
• Event logging - Writes the results of a search query to the job_scheduler.log file of the Job Scheduler component
• MITRE ATT&CK® techniques - Tags events as triggers of techniques and subtechniques of the MITRE ATT&CK® database and writes events to the index
• MITRE ATT&CK® Risk Scoring Assignment - Fixes the risk score in the trigger
• Risk Score Assignment - Allows recording a risk score
• Script another search - Running a job from the Job Scheduler
• Running the script - Run an existing script on the server
• Webhook - Creating an HTTP request to a remote server

Next, the existing active actions are reviewed, along with a description of the configurable settings.

---

Sending E-mail

Description:

• To - recipient's address
• Subject - email subject
• Sign - signature at the end of the email
• Body - message to be sent; it is possible to switch to HTML markup
• Trigger "Run Once" - runs the active action for all query results collectively; when this parameter is disabled, the active action will be applied to each individual query result
• Enable time - adds the server time at the moment of sending
• Enable table - adds a table with search results to the message body
• Send file - a CSV file with the search query results will be attached to the email
• Merge - merges the search query execution results into a single message

---

Creating an incident

Description:

• Incident title - a short title used to identify the incident in the general list
• Severity - the importance level of the incident
• Workflow - the associated workflow process
• Incident Description - a detailed explanation of the incident; the editor supports Github Flavored Markdown
• Drilldown Type - the format of additional information:
  • Search – a search query containing either an event or additional incident-related information. For this type of detailed view, you can configure time boundaries to specify the period for which details should be displayed
  • Link - a URL to external information such as documentation
• Drilldown Text - search queries or URLs providing supplemental data. Allow time boundary configuration for search-type drill-downs. Unspecified boundaries default to the incident's original search job timeframe
• Index Suffix - allows storing incidents in a specific index. See index suffixes
• Trigger – configuration for when and how the active action is triggered
  • Run Once – creates a single incident even if the search returns multiple results
• Incident Fields – configurable fields defined in the module settings
• Additional Fields – key-value pairs extracted from the search job results
• Inventory Linking – configuration for linking the incident to an Inventory object and selecting the relevant fields
• Local parameters – key-value pairs of local and global tokens used for dynamic data substitution

Using Tokens

For the Severity field and all fields in the Additional Fields section, you can use tokens from the search job. See Using Tokens.

In the Fields from Search Results section, you must specify the fields returned by the search query and set their value to none. This will preserve the field names from the key input when viewing the incident.

---

Event indexing

Description:

• Index name - index name
• Update the document - if the parameter is enabled, the document is updated every time a request is executed, otherwise a new one is created
• Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

---

Recording in the DB

Description:

• User ID - username to connect to a database
• Connection ID - database connection parameters
• Table name - a database table to record the results of a search query
• Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

---

Event logging

No customization options.

---

MITRE ATT&CK® techniques

The result of the Action is written to the .smos_mitre-* index. The data in the index can be used to create incidents.

Description:

• Name - action name
• Rule - name of the correlation rule for which this Action is configured
• Layer - selecting the created layer in MITRE ATT&CK®
• Technique - list of MITRE ATT&CK® techniques that are categorized for this incident
• Severity - severity events (low, medium, high)
• Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
• Additional Fields - creating additional key-value fields in the incident card

Using in conjunction with the "Create Incident" action

If you use the MITRE ATTACK Technique Recording action after the Create Incident action, the incident_id field containing the identifier of the incident created by the same trigger event will be automatically added to the record document.

---

MITRE ATT&CK® Risk Scoring Assignment

The result of the Action is written to the .smos_risk-* index. Allows you to assign a risk score, for example, to a category of users or hosts for performing controlled actions. The data in the index can be used to create incidents.

Description:

• Name - action name
• Risk category - by what entity the calculation is made (system and/or user)
• Risk score - number of risk score per operation
• Fidelity - weight of the risk score. Accepts a value from 0 to 1
• Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
• Additional fields - creating additional key-value fields in the incident card

---

Script another search

Description:

• Select Action - selecting the name of an existing job in Job Scheduler
• Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

---

Running the script

The script must be located on the server (with Smart Monitor Remote Execution running), which is specified in the settings of the Job Scheduler component. Allows you to run shell and python scripts.

SME-RE Configuration

Description:

• Path to the script - absolute path to the executable file on the server that needs to be run
• Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result

---

Webhook

Can be used to write search job results to an external system using HTTP requests.

Description:

• Protocol - selecting the http/https protocol
• Host - address of the server getting requests
• Port - port of the server getting requests
• Request Action - type of request to the server (GET, POST, PUT, DELETE)
• Request - the path to the resource from the address bar after the port. For example, path/to/source in the string https://example.source:443/path/to/source
• • Trigger "Run Once" - if enabled, this Action will be performed only for the first search result, otherwise - for each query result
• Params - used to pass parameters in the address bar. Specified as a key-value pair. Example: parameters ?param1=value1&param2=value2 in this string: https://example.source:443/path/to/source?param1=value1&param2=value2
• Authorization - parameters for authorization on the server getting the request
• Headers - can pass the headers to the receiving server as a key-value pair. For example, you can pass headers: User-Agent, Cookie, Authorization
• Body - body of the request