Managing Actions

Security Requirements and Controls

To manage Actions, click the Automation tab within a repository and select Actions from the left menu. Actions are managed and organised according to the repository that the query is executed within. The main page displays a list of the configured actions for the repository, as shown in Actions Management Page

Actions Management Page

Figure 205. Actions Management Page


Within the Actions page, actions can be created, deleted, exported, and duplicated.

  • Existing actions can be searched by using the Find action... search box at the top of the page. The box will filter the list of available actions according to their name or type.

  • A new action can be created by using the + New action button. See Creating Actions.

  • Clicking on one of the filter names, for example Falcon LogScale repository above the list of available actions will filter the display to show only that type of action.

  • Clicking an individual item in the list of available actions will open the edit dialog for the action.

  • Clicking on the ⋮ to the right of an action performs the following actions on that action only:

    Action Management Popup Menu

    Figure 206. Action Management Popup Menu


Duplicating an Action

Duplicating an action copies the entire configuration of an existing action to a new name. Either action can then be updated with different parameters, for example, updating the forwarding repository or changing the email template used for the action.

To duplicate an existing action:

  1. Go to the Repository and Views page.

  2. Select a Repository or View.

  3. Click the Alerts tab on the top bar of the User Interface

  4. Select Actions from the menu on the left

  5. Locate the action that will be duplicated. Then click the ⋮ next to the action name. Choose Duplicate

  6. The Duplicate action prompt will be displayed. Name the new duplicate item in the Name field. The name should not already exist.

    Duplicating an Action Dialog

    Figure 207. Duplicating an Action Dialog


  7. Click the Duplicate action button. The new action should appear in the list.

When duplicating an item, the item is an exact copy of the original, including the configurations and settings, templates, and other parameters. The new action should be modified and associated with an alert or scheduled search before it can be used.

Exporting an Action

Exporting an action saves the entire definition of an action to a YAML file on the client machine. The export action can then be used as the basis for new actions, or copied between clusters.

To export an action:

  1. Go to the Repository and Views page.

  2. Select a Repository or View.

  3. Click the Alerts tab on the top bar of the User Interface

  4. Select Actions from the menu on the left

  5. Locate the action that will be duplicated. Then click the ⋮ next to the action name. Choose Export as template

  6. The operating system native dialogue for saving a file will be shown. Choose a location for the file, and a filename. The file will be saved with a .yaml extension.

  7. Click the Save button. The action will be saved to the file on disk on the client machine.

The saved file contains a complete copy of the configuration information; enough to completely recreate the action.