Table of Contents
Advertisement
4.6.4 Executing a Command
Figure 4-5
NOTE: This type of action can only be used in Correlation deployments
This action type can be used to execute a command when a correlated event triggers. You can set the
following parameters:
Command: Arguments: This can include constants or references to an event attribute in the last
event, the one that caused the rule to fire.
References to event attributes must use the values in the meta tag column enclosed in % or $
symbols. For example, %InitIP% represents the initiator IP address value from the Correlated event,
except in the Configure Correlated Event action. Because the Correlated event was not created
before the action is executed, the InitIP value comes from the trigger event. $InitIP$ always
represents the value from the current event. Both %all% and $all$ are the same, and they pass
information (a limited set of attributes from both the trigger event and the Correlated event along
with some Correlation rule data) to a Correlation action. They are provided primarily for backward
compatibility with existing Correlation actions. They cannot be used in JavaScript actions or in the
Configure Correlated Event action. For more information on meta tags, see
Deployment Event
Command actions can be created to perform a non-interactive action, such as modifying a firewall
policy, entering a record in a database, or deactivating a user account. For an action that generates
output, such as a command to run a vulnerability scan, the command should refer to a script that runs
the command and then writes the output to a file.
NOTE: By default, the action output is stored to the working directory,
. The action output can be written to a different directory by specifying a different storage
data
location for the output file in the script
106 Sentinel 6.1 Rapid Deployment User Guide
Executing a Command
Fields" in the
Sentinel 6.1 Rapid Deployment Reference
"Sentinel 6.1 Rapid
Guide.
<Install_directory>/
Advertisement
Table of Contents
