13.3. Response Actions

Response actions determine how to respond when cybersecurity analytics rules are triggered. Actions can be created in the Analytics --> Response actions tab. When adding an action, provide the following settings:

Name

Description

Enabled

Enables or disables the response action.

Name

The name of the response action.

Description

A description of the response action. This field is optional.

Action

The action that should be taken when the analytics rule is triggered. Will be applied if specified in the analytics rule properties.

The following response actions are available:

  • Send email: send an email to the selected addresses. The procedure of configuring the Send email action will be discussed later in the section Send Email Action.

  • Send message: send a message to the specified phone numbers. The procedure of configuring the Send message action will be discussed later in the section Send Message Action.

  • Webhook: receive an alert on the rule trigger on the webpage whose address is specified in the action settings. The procedure of configuring the Webhook action will be discussed later in the section Webhook Action.

  • Create incident: automatically create an incident when the analytics rule is triggered. The procedure of configuring the Create incident action is described in the section Incident Settings.

  • Send command to connector: send a command to the selected connector. The procedure of configuring the Send command to connector action will be discussed later in the section Send Command to Connector Action.

  • Send command to endpoint: send a command to the endpoint devices with the UserGate Client software installed. The procedure of configuring the Send command to endpoint action will be discussed later in the section Send Command to Endpoint Action.

Enable logging

Enables or disables the logging of response action triggers. The data is recorded in the Log Analyzer event log that can be viewed in the Logs and reports --> Log Analyzer logs --> Events tab.

Group similar triggered alerts

When configuring response actions, you can enable the grouping of triggered alerts for convenience.

The following grouping options are available:

  • Never.

  • For period of time: the response action will be performed if at least one triggered alert occurs during the specified period of time.

  • By number of triggered alerts: the response action will be performed only after the specified number of triggered alerts.

Grouping time period (min.)

The grouping time period in minutes. This setting is available only when grouping for a period of time is selected.

Number of triggered events

The number of triggered alerts required for the grouping to happen. This setting is available only when grouping by the number of triggered alerts is selected.

The created response actions can be edited, deleted, copied, enabled, and disabled. You can also configure the response action list to display all actions, only enabled actions, or only disabled actions.