AlienVault email

Create an action in AlienValut

You can create actions for events collected from systems external to your network through the USM Appliance Sensors. This includes sending an email, executing a script, or opening a ticket.

To configure an action:

1. Go to Configure > Threat Intelligence > Actions, select New.
2. Type the name of the action in the Name field. One example of an action could be “When an attack against IP 192.168.1.1 occurs, send email to an external notification system.”
3. From the Context list, select the context under which the action should occur.
4. In the Description field, click on any applicable keywords at the top of the page to automatically add them to the field.

For example, if you wanted to create an action to send an email to an administrator, you could include information from the normalized event in the email message, such as SRC_IP, DST_IP, PRIORITY, and RISK.

When the action is executed, USM Appliance substitutes the values from the event that triggered the action for the keywords.

Note: You can also use keywords when you want to execute an external program. One example might be an event that invokes a script that sends a shun command to a network firewall to prevent an attacker from making a connection through the firewall at the DST_IP address.

5. From the Type list, select an action option. Options include:

• Send an email message about an event to a pre-configured email within your organization. You can also use this option to send email to an external ticketing system.
• Execute an external program by means of a script.
• Open a ticket in USM Appliance’s internal ticketing system. The Actions page expands to include more fields specific to the selection you made.

6. In Conditions, indicate under what circumstances the action should occur:

• If you choose Any or Only if it is an alarm, no new fields display.
• If you choose Define logical condition, two new UI fields display:

Python Boolean expression — True or False expressions in Python.
Only on risk increase check box — This condition must be met for this policy consequence to go into effect. You can use the Boolean expression in combination with the provided keywords, such as “Date”, “Risk”, “Plugin_SID”, to define conditions for an action to trigger.

Important: When writing an expression, only the following characters are allowed: A-Z, a-z, 0-9, _, ‘, and “.

7. Fill in the fields that appeared after you selected the action type:
If you want to send an email message:

• In the FROM field, type the email address from which the email message is being sent. This is frequently the USM Appliance administrator.
• In the TO field, type the email address or addresses to which USM Appliance should send the message.
• In the Subject field, type a subject for the email. For example, this may reflect the policy’s purpose, such as “Escalation of event risk on critical asset.”
• In the Message field, type the content for the email. You can also use the keywords used earlier in the description field.

If you want to open a ticket in USM Appliance:

In the In Charge field, select either a particular User or an Entity.

If you want to execute an external program, using a script residing locally:

Type the path to the script in the Command field. Once the policy conditions have been met, the program or script will then run.

Important: The best practice is to use non-blocking scripts, as blocking scripts may create response issues or other undesired effects if there is any delay in the script’s completion, including the possibility of breaking backup and purging processes.

8. Click Save.