Add or modify activities
- Select Logs > Security Incidents > Actions
- Click Add or select an action and click Modify.
- Under Activities, click Add, or select an activity and click Modify.
- Select the activity from the Activity drop-down menu.
-
Enter the information associated with the activity.
- Some options include the Secondary Task check box. Selecting this check box enables the secondary task to occur after the time period specified in the action has passed.
- Use the table below for information about each activity option.
- Click OK to save your activity.
Settings
Field |
Definition |
Command Line Script Action |
Lets you specify a particular command line script to be executed as an alarm action. |
Send Alarm to Custom Script |
Lets you send an alarm to a custom command line script located in /home/cm/scripts when the trigger event occurs. |
Send Alarm to External Log Hosts |
Sends an alarm to an external log host when the trigger event occurs. |
Email User Action |
Sends an email to the logged on user or owner, only the logged on user, or only the owner when the action is taken. See Hosts for more information about adding or modifying the host's owner. Enter the message for the user in the Email Message box. Select the fields to display information you wish to append to the email. You can update the text to be displayed for each field. Users can add or modify custom fields that are appended to the email. Custom fields include information about a security event that is stored under Full Event Attributes in the Security Events View > Event Details window. For example, enter a label for the field and the "CS4" key to display the CS4 information in the custom field. See Security events |
Email Group Action |
Sends an email to the selected administrator group. |
SMS User Action |
Sends an SMS message to the host's owner when the action is taken. See Hosts for more information about adding or modifying the host's owner. Enter the message for the user in the SMS Message box. |
Host Role Action |
Lets you set the host role to any configured role. You can select the Secondary Task check box to enable a secondary task to change the role when the action is undone. |
Disable Host |
Disconnects the host from the network. You can select the Secondary Task check box to enable the host after a specified time period if the Perform Secondary Task(s) check box is enabled for the action. |
Disable Port |
Disconnects the port. You can select the Secondary Task check box to enable the port after a specified time period if the Perform Secondary Task(s) check box is enabled for the action. |
Run Endpoint Compliance Configuration |
When selected, allows you to run additional endpoint compliance configurations based on security actions mapped to a scan's results. See Chaining configuration scans . |
Mark Host At Risk |
Automatically fails the scan selected in the Mark Host At Risk For drop-down list, and places the host in a state of remediation the next time the host connects. You can select the Secondary Task check box to mark the host safe after a specified time period if the Perform Secondary Task(s) check box is enabled for the action. |
Mark Host Safe |
Automatically marks the host as safe for the scan selected in the Mark Host Safe For drop-down list, and passes the scan. You can select the Secondary Task check box to mark the host at risk after a specified time period if the Perform Secondary Task(s) check box is enabled for the action. |
Send Message to Desktop |
Lets you send a message to the desktop of a host running the Persistent Agent. |