Manage Actions

Security Requirements and Controls

  • Update actions permission

The Actions interface allows for the comprehensive management of Actions within a repository, including how to create, delete, export, duplicate, and set permissions for actions, and it provides filtering capabilities and a menu-driven system for each action. Security requirements and the specific steps needed for each management task are also covered.

Use the Actions page to create, delete, export, and duplicate actions.

To manage Actions, click the Automation tab within a repository and select Actions from the sidebar menu. Actions are managed and organized according to the repository that the query is executed within. The main page displays a list of the configured actions for the repository:

Actions Overview Page

Figure 212. Actions Overview Page


  • Search existing actions by using the Find action... search box. The box will filter the list of available actions according to their name or type.

  • Create a new action using the New action button. See Create Actions.

  • Click on the three-dot icon next to an action to perform the following actions on that action only:

    Action Management Popup Menu

    Figure 213. Action Management Popup Menu


    • Duplicate

      Duplicates the action and all the configuration parameters. See Duplicate an Action.

    • Export as template

      Exports an action and configuration information as a YAML file that can then be used as the basis for new actions.

    • Delete

      Deletes an action, providing that action is not associated with an existing alert. See Delete an Action.

Duplicate an Action

Security Requirements and Controls

  • Create actions permission

  • Update actions permission

Duplicating an action copies the entire configuration of an existing action to a new name. Either action can then be updated with different parameters, for example, updating the forwarding repository or changing the email template used for the action.

To duplicate an existing action:

  1. Go to the Repository and Views page.

  2. Select a Repository or View.

  3. Click the Automation tab on the top bar of the User Interface

  4. Select Actions from the menu on the left

  5. Locate the action that will be duplicated, then click the menu icon next to the action name and choose Duplicate

  6. The Duplicate action prompt will be displayed. Name the new duplicated item in the Name field. The name should not already exist.

    Duplicating an Action Dialog

    Figure 214. Duplicating an Action Dialog


  7. Click the Duplicate action button. The new action should appear in the list.

When duplicating an item, the item is an exact copy of the original, including the configurations and settings, templates, and other parameters. The new action should be modified and associated with an alert or scheduled search before it can be used.

Export an Action

Security Requirements and Controls

  • Update actions permission

Exporting an action saves the entire definition of an action to a YAML file on the client machine. The export action can then be used as the basis for new actions, or copied between clusters.

To export an action:

  1. Go to the Repository and Views page.

  2. Select a Repository or View.

  3. Click the Automation tab on the top bar of the User Interface

  4. Select Actions from the menu on the left

  5. Locate the action that will be exported, then click the menu icon next to the action name and choose Export as template

  6. The operating system native dialogue for saving a file will be shown. Choose a location for the file, and a filename: the file will be saved with a .yaml extension.

  7. Click the Save button: the action will be saved to the file on disk on the client machine.

The saved file contains a complete copy of the configuration information; enough to completely recreate the action.

Delete an Action

Security Requirements and Controls

  • Delete actions permission

Deleting an action removes the action and configuration. An action that has been assigned to a working alert cannot be removed; the alerts must be edited to remove the actions and then the action can be deleted.

Hint

Before deleting, if you think you might need the action again, you can export the action to a YAML file. See Export an Action

To delete an action:

  1. Go to the Repository and Views page.

  2. Select a Repository or View.

  3. Click the Automation tab on the top bar of the User Interface

  4. Select Actions from the menu on the left

  5. Locate the action that will be deleted, then click the menu icon next to the action name and choose Delete

  6. The Delete action dialog will be presented to confirm the action deletion.

    Deleting an Action Dialog

    Figure 215. Deleting an Action Dialog


  7. If the action is configured or assigned to a scheduled search or alert, an alert will be presented to show that the action could not be deleted. The action should be removed for any configured searches and alerts before you delete the action.