Job Scheduler
Overview
The Job Scheduler component includes functionality for working with search jobs. A search job is a query that is executed on a specified schedule, and the results obtained are processed by various active actions. An active action is a specific processing of the results of a search query, such as creating an incident, sending an email notification, and other actions.
In the main section of the component, there is a list of all jobs:
Example of a scheduled search job:
Tasks can be created manually by the user or provided as part of some module as accompanying content.
A colored indicator shows the task status:
- Inactive tasks: 🔴
Red - Active tasks: 🟢
Green
Various active actions are possible based on the results of executing a scheduled job, such as sending results via email, creating incidents, aggregating results into an index, and more.
The complete list of possible actions includes:
- Creating an incident
- Sending E-mail
- Running the script
- Webhook
- Recording in the DB
- Event indexing
- Event logging
- Accrual of risk points, where you can configure the scoring type for interaction with the UBA module
- Risk score calculation
- Fixing MITRE ATT&CK® techniques
- MITRE ATT&CK® Risk Score Assignment
- Running another search
These actions can be created and edited in the selected task on the Active Actions tab. Detailed information about active actions can be found via the link.
For more details on creating and configuring scheduled jobs, refer to the article Job Scheduler.