Table of Contents
Advertisement
3.6.4 Execute a Command
Figure 3-5
NOTE: This type of action can only be used in Correlation deployments.
This action type can be used to execute a command when a correlated event triggers. You can set the
following parameters:
Command
NOTE: For actions that execute a command or run a script, the command or script must reside
in the $ESEC_HOME/config/exec or %ESEC_HOME%\config\exec folder on the Correlation
Engine. Symbolic links on UNIX are not supported.
Arguments: This can include constants or references to an event attribute in the last event, the
one that caused the rule to fire.
NOTE: References to event attributes must use the values in the metatag column enclosed in %
or $ symbols. For example, %InitIP% represents the Initiator IP address value from the
Correlated Event, except in the Configure Correlated Event action. Because the correlated
event has not been created before the action is executed, the InitIP value comes from the trigger
event. $InitIP$ always represents the value from the current event.Both %all% and $all$ are the
same, and they pass information (a limited set of attributes from both the trigger event and the
correlated event along with some correlation rule data) to a correlation action. They are
provided primarily for backward compatibility with existing correlation actions. They cannot
be used in JavaScript actions or in the Configure Correlated Event action. For more information
on metatags, see
90
Sentinel 6.1 User Guide
Executing a Command
"Sentinel Event
Fields" in
Sentinel 6.1 Reference
Guide.
Advertisement
Table of Contents
