Response Actions

Response actions determine how to respond when cybersecurity analytics rules are triggered. You can use the UserGate SIEM to flexibly customize rules with variables of analytics rule triggering categories.

Notification and command variables

Note The field is case-sensitive. Variable names must be entered in UPPERCASE in curly brackets (as shown in the table).

Note You can use variables in commands and notifications if they have been selected under Analytics ➜ Analytics Rules ➜ Event Grouping Conditions.

Name	Description
{ANALYTICS_RULE_NAME}	The name of the analytics rule.
{ANALYTICS_RULE_DESCRIPTION}	A description of the analytics rule.
{NAME}	The name of a specific triggered alert.
{TIME}	The time when the analytics rule was triggered.
{TRIGGERED_ALERTS_NUMBER}	The number of triggered alerts.
{FIRST_TRIGGERED_ALERT_TIME}	The time when the first triggered alert occurred.
{LAST_TRIGGERED_ALERT_TIME}	The time when the last triggered alert occurred.
{TRIGGERED_ALERTS_NAMES}	The list of triggered alert names if grouping is used.
{FIRST_EVENT_TIME}	The time of the first event included in the triggered alert for the analytics rule.
{LAST_EVENT_TIME}	The time of the last event included in the triggered alert for the analytics rule.
{THREAT_LEVEL}	The specified threat level.
{CATEGORY}	The category to which the triggered alert belongs.
{PRIORITY}	The priority of the triggered analytics rule alert.
{ADMINISTRATOR_NAME}	The name of the administrator who created the analytics rule.
{USER_NAME}	The username.
{SOURCE_ZONE}	Source zone
{DESTINATION_ZONE}	Destination zone
{SOURCE_COUNTRY}	The source country.
{DESTINATION_COUNTRY}	The destination country.
{SOURCE_IP}	Source IP address
{SOURCE_PORT}	Source port
{DESTINATION_IP}	Destination IP address
{DESTINATION_PORT}	Destination port
{SOURCE_ZONE_ALL}	The source zones of all events that caused the triggered alert.
{DESTINATION_ZONE_ALL}	The destination zones of all events that caused the triggered alert.
{SOURCE_COUNTRY_ALL}	The source countries of all events that caused the triggered alert.
{DESTINATION_COUNTRY_ALL}	The destination countries of all events that caused the triggered alert.
{SOURCE_IP_ALL}	The source IP addresses of all events that caused the triggered alert.
{SOURCE_PORT_ALL}	The source port numbers of all events that caused the triggered alert.
{DESTINATION_IP_ALL}	The destination IP addresses of all events that caused the triggered alert.
{DESTINATION_PORT_ALL}	The destination port numbers of all events that caused the triggered alert.

Actions can be created in the Analytics ➜ Response actions tab. When adding an action, provide the following settings:

Name	Description
Enabled	Enables or disables the response action.
Name	The name of the response action.
Description	A description of the response action. This field is optional.
Action	The action that should be taken when the analytics rule is triggered. Will be applied if specified in the analytics rule properties. The following response actions are available: Send email: send an email to the selected addresses. The procedure of configuring the Send email action will be discussed later in the Send Email Action section. Send message: send a message to the specified phone numbers. The procedure of configuring the Send message action will be discussed later in the Send Message Action section. Webhook: receive an alert on the rule trigger on the webpage whose address is specified in the action settings. The procedure of configuring the Webhook action will be discussed later in the Webhook Action section. Create incident: automatically create an incident when the analytics rule is triggered. The procedure of configuring the Create incident action is described in the Incident Settings section. Send Command To Connector: send a command to the selected connector. The procedure of configuring the Send Command To Connector action is described in the Send Command To Connector Action section. Send Command To Endpoint send a command to an endpoint with UserGate Client software installed. For more details, see Send Command To Endpoint Action.
Enable logging	Enables or disables the logging of response action triggers. The data is recorded in the SIEM event log that can be viewed in the Logs and reports ➜ Logs ➜ Event log tab.
Group similar triggered alerts	When configuring response actions, you can enable the grouping of triggered alerts for convenience. The following grouping options are available: Never. For period of time: the response action will be performed if at least one triggered alert occurs during the specified period of time. By number of triggered alerts: the response action will be performed only after the specified number of triggered alerts.
Grouping time period (min.)	The grouping time period in minutes. This setting is available only when grouping for a period of time is selected.
Number of triggered events	The number of triggered alerts required for the grouping to happen. This setting is available only when grouping by the number of triggered alerts is selected.

The created response actions can be edited, deleted, copied, enabled, and disabled. You can also configure the response action list to display all actions, only enabled actions, or only disabled actions.

Send Email Action

If you selected Send email as the response action, provide the following settings in the rule properties.

Name	Description
Notification profile	The SMTP notification profile to be used for sending emails. For more details on configuring SMTP profiles, see the Notification Profiles chapter.
From	The sender name.
Subject	The email subject.
Emails	The list of recipient email addresses. The recipients must be added to the lists under Settings ➜ Libraries ➜ Emails. For more details on adding emails, see the section Emails.
Template	The alert email template that can include the values of various variables related to the triggered alert. For more details, see the Alert Template and Notification and command variables sections.

Send Message Action

If you selected Send Message as the response action, provide the following settings in the rule properties.

Name	Description
Notification profile	The SMPP notification profile to be used for sending messages. For more details on configuring SMPP profiles, see the Notification Profiles chapter.
From	The sender name.
Phones	The list of recipient phone numbers. The recipients must be added to the lists under Settings ➜ Libraries ➜ Phones. For more details on adding phone numbers, see the section Phones.
Template	The message template that can include the values of various variables related to the triggered alert. For more details, see the Alert Template and Notification and command variables sections.

Webhook Action

To configure a webhook in the response action rule properties, provide the following settings.

Name	Description
URL	The URL of the website where notifications about rule triggers will be displayed.
Template	The alert template that can include the values of various variables related to the triggered alert. For more details, see the Alert Templateand Notification and command variables sections.

Name

Description

URL

The URL of the website where notifications about rule triggers will be displayed.

Template

The alert template that can include the values of various variables related to the triggered alert.

For more details, see the Alert Templateand Notification and command variables sections.

You can test the webhook feature using this service: https://webhook.site. To do that, go to the Webhook.site website, copy the generated link, and paste it into the URL field on the Actions tab of the response action rule properties.

Send Command To Connector action

You can configure a response action of sending a command to a connector.

The following parameters must be specified for a response action of sending a command to be executed on a connector:

Name	Description
Connectors	Select the devices to which the command should be sent when an analytics rule is triggered. The connector must be added and configured in advance under Sensors ➜ Connectors in the Settings tab in the UserGate SIEM web management interface (see Connectors for more information). Important! Only connectors with the same command group can be selected.
Command	Specify the command that will be sent to the connector for execution; the commands of the group specified for the selected connectors are available. If there are variables in the command, additional fields will be displayed where values should be specified. See Commands for more details on the commands.

Name

Description

Connectors

Select the devices to which the command should be sent when an analytics rule is triggered. The connector must be added and configured in advance under Sensors ➜ Connectors in the Settings tab in the UserGate SIEM web management interface (see Connectors for more information).

Important! Only connectors with the same command group can be selected.

Command

Specify the command that will be sent to the connector for execution; the commands of the group specified for the selected connectors are available.

If there are variables in the command, additional fields will be displayed where values should be specified.

See Commands for more details on the commands.

Send Command To Endpoint action

You can configure a response action of sending a command to a device with the UserGate Client software installed. Available commands:

Block networking -- disable access to the Internet.
Kill process -- terminate the process specified in the filter query.

Alert Template

In the Template tab, enter the alert text. In addition to fixed test, you can send data related to the triggered alert or its log records.

To send data related to the triggered alert, enter the corresponding parameter name from the table into the text field in the Template tab. For example, if you enter {ANALYTICS_RULE_NAME}, the email, SMS, or webhook alert text will show the name of the triggered analytics rule. If you fill in the template at the time of configuring the Create incident action, the text will be displayed in the incident description.

Вы здесь

Форма поиска