Skip to content

How to activate automatic Actions in Realtime Alerts

To use predefined Automatic Actions you should firstly create a new alert or edit /open pre-built scenarios/alerts.

To create new alert, please follow the link:

To access Action Parameters you have to open ALERT SETTINGS menu, for this select Settings > Alerts > Realtime. Alerts customization page opens in Alerts module interface.

When you create a new alert or edit an alert you will find Has Action checkbox:

Alt text

Press Alt text button to open Script Editor window where you can create a custom script to apply as rule or predefined Actions from the list:

Alt text

When choosing a specific action (e.g. LinuxActions Disable_User) you can activate automatic response scenario. It could be disable, enable Linux users, Email or messenger Notifications etc.

An action is raising, followed by alerts, which is generated based on specific events.

There are following predefined automatic actions at this moment:

LinuxActions.DISABLE_USER

This action deactivate or remove specific Linux users from using target host based on parameters:

Alt text

  • Target User (which user to disable)

  • Host (on which host to deactivate the user)

  • CredentialsGUID (using which credentials to disable the user)

This action required root password access.

In case of this action the user will be removed and couldn’t login into his machine/host.

Target User:

  • Static Value - it can be static and in Static Value you will write the name of the user to be disabled:

Alt text

  • Properties - can be dynamic, where you can select the rule and event number from the list using the UserName field (e.g.), to know which user you are disabling:

Alt text

Host:

  • It can be done on the host that appeared, or on domain control dc01 (e.g.):

Alt text

CredentialsGUID:

What credentials is used from the CYBERQUEST server, and we select from the list (AgentWindows):

Alt text

LinuxActions.ENABLE_USER

This action activate or restore specific Linux users (will be able to log in) based on parameters:

  • Target User (which user to enable)

  • Host (on which host to activate the user)

  • CredentialsGUID (using which credentials to enable the user)

This action required root password access.

Target User:

  • Static Value - it can be static and in Static Value you will write the name of the user to be enabled

  • Properties - can be dynamic, where you can select the rule and event number from the list using the UserName field (e.g.), to know which user you are enabling

Host:

  • It can be done on the host that appeared, or on domain control dc01 (e.g.).

CredentialsGUID:

  • What credentials I use from the CYBERQUEST server, and we select what we have in the list (AgentWindows).

LinuxActions.EXPIRE_USER_PASSWORD

When this action is turned on for the users with expired password, these target users will not be able to log in with his password based on parameters:

  • Target User (whose user password has expired)

  • Host (on which host is expire the password)

  • CredentialsGUID (using what credentials to expire the password)

Could be done by group administrator or user/not obligatory root user.

Target User:

  • Static Value - it can be static and in Static Value you will write the name of the user whose password should be changed.

  • Properties - can be dynamic, where you can select the rule and event number from the list using the UserName field (e.g.), to know to which user is expire the password.

Host:

  • It can be done on the host that appeared, or on domain control dc01(e.g.).

CredentialsGUID:

  • What credentials I use from the CYBERQUEST server, and we select what we have in the list (AgentWindows).

LinuxActions.DISABLE_PASSWORD_EXPIRE

When this action is enabled, Linux users will be restored and able to log in again into host based on parameters:

  • Target User

  • Host

  • CredentialsGUID

Could be done by group administrator.

Target User:

  • Static Value - it can be static and in Static Value you will write the name of the user which needs to be enabled

  • Properties - can be dynamic, where you can select the rule and event number from the list using the UserName field (e.g.), to know to which user is disabled to password expire

Host:

It can be done on the host that appeared, or on domain control dc01 (e.g.).

CredentialsGUID:

What credentials I use from the CYBERQUEST server, and we select what we have in the list (AgentWindows).

Notifications Email/ Teams/Slack/Jira

Notifications Email/ Teams/Slack/Jira - this actions activate notifications on email or messenger Teams, Jira, Slack.

Alt text

Notifications Content - specific message, which is indicted by user and will be received in case of risky events which activated this alert.