Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Defining Custom Actions

 

You can attach scripts to custom rules that do custom actions in response to network events. Use the Custom Action window to manage custom action scripts.

Use custom actions to select or define the value that is passed to the script and to define the resulting action.

For example, you can write a script to create a firewall rule that blocks a source IP address from your network in response to a rule that is triggered by a defined number of failed login attempts.

The following examples are custom actions that are the outcomes of passing values to a script:

  • Block users and domains.

  • Initiate work flows and updates in external systems.

  • Update TAXI servers with a STIX representation of a threat.

Custom actions work best with a low volume of events and with custom rules that have a low response limiter value.

Take the following steps to define your custom actions:

  1. From the Admin tab, click the Define Actions icon.

  2. Click Add on the Custom Action window toolbar to open the Define Custom Action dialog where you can upload scripts that define custom actions.

  3. Select a programming language version that the product supports from theInterpreter list.

  4. Select and name a parameter from the following table to pass to the script that you upload.

    Table 1: Custom Action Parameters

    Parameter

    Description

    Fixed property

    Values that are passed to the custom action script.

    Not based on the events or flows, but are based on other defined values that you can use the script to act on.

    For example, the fixed properties username and password for a third-party system are passed to a script that results in sending an SMS alert, or other defined action.

    You can encrypt fixed properties, such as passwords, by selecting the Encrypt value check box.

    Network event property

    Dynamic Ariel properties that are generated by events. Select from the Property list.

    For example, the network event property sourceip provides a parameter that matches the source IP address of the triggered event.

In order to ensure the security of your deployment, the product does not support the full range of scripting functionality that is provided by the Python, Perl or Bash languages.

Parameters are passed into your script in the order in which you added them in the Define Custom Action dialog box.

Testing Your Custom Action

You can test whether your script runs successfully before you associate it with a rule. Select a custom action and click Test Execution >Execute to test your script. The Test custom action execution dialog returns the result of the test and any output that is produced by the script.

Custom action scripts are executed inside a sand-boxed environment on your managed hosts. If you need to write to disk from a custom action script, you must use the following directory: /home/customactionuser. Custom action scripts execute on the managed host that runs the event processor that triggered the rule.

After you configure and test your custom action, use the Rule Wizard to create a new event rule and associate the custom action with it.