Up
Previous Next

Sheriff CSM

Create an Action

You can create actions for Sheriff CSM to perform on security events. This includes sending an email, executing a script, or opening a ticket. One example of an action could be "When an attack against IP 192.168.1.1 occurs, send an email to an external ticketing system."

To configure an action

1. Go to Configure > Threat Intelligence > Actions, select New.

2. Type the name of the action in the Name field.

3. From the Context list, select the context under which the action should occur.

4. In the Description field, click on any applicable keywords at the top of the page to automatically add them to the field.

   For example, if you wanted to create an action to send an email to an administrator, you could include information from the normalized event in the email message, such as SRC_IP, DST_IP, PRIORITY, and RISK.

   

   When the action is executed, Sheriff CSM substitutes the values from the event that triggered the action for the keywords.

   Note: You can also use keywords when you want to execute an external program. One example might be an event that invokes a script that sends a shun command to a network firewall to prevent an attacker from making a connection through the firewall at the DST_IP address.

5. From the Type list, select an action option.

   Options include:

   • Send an email message about an event to a preconfigured email within your organization.

     You can also use this option to send notifications by phone messaging services, such as Short Message Service (SMS). However, to do this, you need an external messaging gateway capable of translating email messages to phone messages.

   • Execute an external program by means of a script.
   • Open a ticket in Sheriff CSM's internal ticketing system.

     The Actions page expands to include more fields specific to the selection you made.

6. In Conditions, indicate under what circumstances the action should occur:

   • If you choose Any or Only if it is an alarm, no new fields display.
   • If you choose Define logical condition, two new UI fields display:

     Python Boolean expression — True or False expressions in Python.

     Only on risk increase check box — When checked, this condition must be met for this policy consequence to go into effect.

     You can use Boolean comparison operators (=, , >, <, >=, <=) and logical operators (AND, OR, NOT) in combination with the provided keywords, such as "Date", "Risk", "Plugin_SID", to define conditions for an action to trigger. For example

     

     Important: When writing an expression, only the following characters are allowed: A-Z, a-z, 0-9, _, ', and ".

     Note: Starting from version 5.6, you can also use arithmetic operators, add (+), subtract (-), multiply (*), and divide (/), in an expression.

7. Fill in the fields that appeared after you selected the action type:

   To send an email message:

   1. In the FROM field, type the email address from which the email message is being sent. This is frequently the Sheriff CSM administrator.
   2. In the TO field, type the email address or addresses to which Sheriff CSM should send the message.
   3. In the Subject field, type a subject for the email. For example, this may reflect the policy's purpose, such as "Escalation of event risk on critical asset."
   4. In the Message field, type the content for the email. You can also use the keywords used earlier in the description field.