Skip to content

How to activate automatic Actions in Realtime Alerts

To use predefined automatic actions, first create a new alert or open/edit an existing scenario or alert.

For instructions on creating a new alert, please refer to the provided link: How to create new alerts

To access Action Parameters, open the ALERT SETTINGS menu by navigating to Settings > Alerts > Realtime. The Alerts customization page will open within the Alerts module interface.

When creating or editing an alert, the Has Action checkbox will be available:

Alt Image

Press Alt Image to open the Action Parameters window, which includes a drop-down list of automated actions and provides access to the Script Editor for creating a custom script.

Alt Image

Selecting a specific action (e.g., disabling a Linux user account) enables an automated response scenario. These actions can include enabling or disabling user accounts, sending notifications via email or messenger, and more.

An action is executed in response to alerts triggered by specific event conditions.

The following predefined automated actions are currently available:

1.LinuxActions.DISABLE_USER

This automated action disables or removes specified Linux user accounts from the target host, based on the defined parameters:

Alt Image

  • Target User - Specifies the user account to be disabled.

  • Host - Defines the system where the action is to be applied.

  • CredentialsGUID Specifies the credentials used by the CYBERQUEST server to perform the action.

This action requires root password to execute.

Upon execution, the specified user will be removed from the target system and will no longer be able to authenticate or log in.

Target User:

  • Static Value - A fixed username can be provided directly in the field. The specified user will be disabled based on this static input:

Alt Image

  • Properties - Allows dynamic selection of the user based on event data. Use the UserName field from a specified rule and event index to determine which user will be disabled:

Alt Image

Host:

  • Specifies the target system where the user account will be disabled. This can be the host from which the event originated or a specific machine (e.g., DC09)

Alt Image

CredentialsGUID:

Specifies the credentials used by the CYBERQUEST server to execute the action. The appropriate credential (e.g., AgentWindows) is selected from a predefined list:

Alt Image

2.LinuxActions.ENABLE_USER

This action activates or restores a specific Linux user account, allowing the user to log in again. It operates based on the following parameters:

  • Target User - Specifies the user account to be enabled

  • Host - Indicates the host where the account will be reactivated

  • CredentialsGUID - Defines the credentials used to perform the action

This action requires root password to execute.

Target User:

  • Static Value - A fixed username can be provided directly in the Static Value field to specify the user account to be enabled.

  • Properties - A dynamic selection that allows choosing a username from a specific rule and event instance using the UserName field. This enables the action to target users identified at runtime.

Host:

  • Specifies the target system where the action will be executed. This can be the originating host or a specific system like a domain controller (e.g., DC09).

CredentialsGUID:

  • Indicates which stored credentials from the CYBERQUEST server are used to perform the action. The credentials are selected from an available list (e.g., AgentWindows).

3.LinuxActions.EXPIRE_USER_PASSWORD

This action enforces password expiration for a specified Linux user, preventing further logins using the current password. Configuration requires the following parameters:

  • Target User - The user whose password will be expired

  • Host - The system where the action is applied

  • CredentialsGUID - The credentials used to perform the operation

Execution can be carried out by a group administrator or a user with sufficient privileges; root access is not mandatory.

Target User:

  • Static Value - Enter a specific username whose password should be expired.

  • Properties - Dynamic values can be applied by selecting the rule and event number from the list. For example, the UserName field can be used to dynamically identify the target user.

Host:

  • Specifies the target system where the action will be executed. This can be the originating host or a specific system like a domain controller (e.g., DC09).

CredentialsGUID:

  • Select the credentials (e.g., AgentWindows) from the CYBERQUEST server that will be used to execute the password expiration action.

4.LinuxActions.DISABLE_PASSWORD_EXPIRE

This action disables password expiration for a specified Linux user, allowing the user to log in without being restricted by an expired password. The action is performed based on the following parameters:

  • Target User - The Linux user account for which password expiration is to be disabled.

  • Host - The system where the action will be executed.

  • CredentialsGUID - The credentials used by CYBERQUEST to perform the action on the target host.

Could be done by group administrator.

Target User:

  • Static Value - A fixed username can be specified directly. In this case, the user name is manually entered into the Static Value field.

  • Properties - Dynamic values can be used by selecting a rule and event number from the list. For example, the UserName field can be referenced to dynamically identify the account for which password expiration should be disabled.

Host:

Specifies the target system where the action will be executed. This can be the originating host (where the triggering event occurred) or a designated system like a domain controller (e.g., DC09).

CredentialsGUID:

Indicates the credentials to be used by the CYBERQUEST server when executing the action. A credential entry (e.g., AgentWindows) must be selected from the predefined list available in the system.

5.Notifications Email/ Teams/Slack/Jira

These actions trigger automatic notifications through selected communication channels, including Email, Microsoft Teams, Slack, or Jira, based on the alert conditions defined.

Alt Image

The custom message defined by the user, which will be delivered when the alert is triggered by a matching event. This message typically includes context about the detected risk or condition.

6.PlayBooks.RUN_PLAYBOOK

This action triggers the execution of a defined playbook in response to the alert instance. When the alert conditions are met, the associated playbook is automatically initiated, enabling a structured and automated response workflow. Playbooks may include a series of predefined tasks, actions, or decisions designed to handle specific security events or operational scenarios.

Alt Image

AlertSecurityThreshold - Sets a static numeric value to define the security impact level of the alert.

Run Playbook - Selects a playbook from the list of available entries defined in the Playbooks module to be executed when the alert is triggered.

7.LinuxActions.MANIPULATE_SERVICE

This action performs operations on a specified Linux service - starting, stopping, or restarting it - based on defined parameters.

ServiceName - Identifies the name of the Linux service to be manipulated

Action - Specifies the type of service operation (start, stop, restart)

Host - Indicates the host on which the service operation will be executed

CredentialsGUID - Indicates the credentials to be used by the CYBERQUEST server when executing the action. A credential entry (e.g., AgentWindows) must be selected from the predefined list available in the system.

This action requires root password access to execute successfully.

ServiceName:

  • Static Value - A fixed service name can be entered directly (e.g., sshd, nginx).
  • Properties - Enables dynamic selection of the service name from a rule and event instance, allowing flexible automation based on event data.

Action:

  • Static Value - Allows selecting the desired operation from a predefined list (e.g., start, stop, restart).
  • Properties - Enables dynamic selection of the operation by referencing a specific field from the triggering event or rule, allowing the action to adapt based on runtime data.

Host:

  • Specifies the target system where the action will be executed. This can be the originating host (where the triggering event occurred) or a designated system like a domain controller (e.g., DC09).

CredentialsGUID:

  • Indicates the stored credentials from the CYBERQUEST server used to authenticate and execute the service command. Credentials are selected from a list (e.g., AgentLinuxRoot).

8.LinuxActions.BLOCK_IP_ADDRESS

This action blocks a specific IP address on a designated Linux host using defined parameters. It is typically used to prevent communication from potentially malicious sources.

IpAddress - Specifies the IP address to be blocked.

Host - Indicates the host on which the block action will be applied.

CredentialsGUID - Defines the credentials used to perform the action.

This action requires root access to execute.

IpAddress:

  • Static Value - A specific IP address can be manually entered to apply a fixed blocking rule.
  • Properties - Enables dynamic selection of the IP address from a rule and event instance (e.g., using the SourceIP field) to block addresses identified at runtime.

Host:

  • Specifies the Linux host where the IP address will be blocked. This can be the host from which the triggering event was collected or a designated target system (e.g., Server02).

CredentialsGUID:

  • Indicates which stored credentials from the CYBERQUEST server will be used to execute the command. Select from the available list (e.g., AgentLinux).

9.LinuxActions.REMOVE_BLOCK_IP_ADDRESS

This action removes a previously applied block on a specific IP address on a designated Linux host, based on the provided parameters.

  • IpAddress - Specifies the IP address to unblock.
  • Host - Indicates the host where the block removal will be performed.
  • CredentialsGUID - Defines the credentials used to execute the action.

IpAddress:

  • Static Value - A fixed IP address can be entered manually to specify which address to unblock.
  • Properties - Allows dynamic selection of the IP address from a rule and event instance (e.g., SourceIP field), enabling unblock actions based on real-time event data.

Host:

  • Specifies the Linux host where the block on the IP address will be removed. This can be the original host or another target system.

CredentialsGUID:

  • Indicates which stored credentials from the CYBERQUEST server will be used to run the unblock command. Choose from the available list (e.g., AgentLinux).

10.LinuxActions.KILL_PROCESS_BY_PID

This action terminates a specific process on a Linux host using its Process ID (PID), based on the provided parameters.

  • PID - Specifies the Process ID of the process to be terminated.
  • Host - Indicates the host where the process termination will be executed.
  • CredentialsGUID - Defines the credentials used to perform the action.

Root access is required to execute this action.

PID:

  • Static Value - A fixed Process ID can be entered manually to specify which process to kill.
  • Properties - Enables dynamic selection of the PID from a rule and event instance, allowing process termination based on real-time event data.

Host:

  • Specifies the Linux host where the process termination will be carried out. This can be the originating host or a designated system.

CredentialsGUID:

  • Indicates which stored credentials from the CYBERQUEST server are used to perform the kill operation. Select from the available list (e.g., AgentLinux).

11.LinuxActions.KILL_PROCESS_BY_NAME

This action terminates a Linux process based on its name, using the following parameters:

  • ProcessName - Specifies the name of the process to be terminated.
  • Host - Indicates the host where the process will be killed.
  • CredentialsGUID - Defines the credentials used to perform the action.

ProcessName:

  • Static Value - A fixed process name can be entered directly to specify which process to terminate.
  • Properties - Supports dynamic selection of the process name from a rule and event instance, enabling process termination based on real-time event data.

Host:

  • Specifies the target system where the action will be executed. This can be the originating host or another designated system.

CredentialsGUID:

  • Indicates which stored credentials from the CYBERQUEST server are used to execute the action. Credentials are selected from the available list.

12.LinuxActions.CQ_SERVICES_STATUS

This action checks the status of CyberQuest services on a specified host, using the following parameters:

  • Host - Specifies the target system where the service status check will be performed.
  • CredentialsGUID - Defines the credentials used to execute the status query.

Host:

  • Selects the system on which the CyberQuest service status will be checked. This can be the originating host or another designated system.

CredentialsGUID:

  • Indicates which stored credentials from the CYBERQUEST server are used to perform the action, selected from the available list.

13.LinuxActions.VALIDATE_CERTIFICATE

This action validates SSL/TLS certificates on a specified host using the following parameter:

  • Host - Specifies the target system where the certificate validation will be performed.

Host:

  • Selects the system on which the certificate validation process will be executed. This can be the originating host or another designated system.

14.LinuxActions.CHECK_IF_OS_IS_WINDOWS

This action checks whether the specified host is running a Windows operating system, based on the following parameter:

  • Host - Specifies the target system to verify the OS type.

Host:

  • Selects the system on which the OS check will be performed. This can be the originating host or another designated system.

15.WindowsActions.DISABLE_USER

This action disables a specific Windows user account on the target host, based on the following parameters:

  • TargetUser - Specifies the user account to be disabled
  • Host - Indicates the system where the user account will be disabled
  • CredentialsGUID - Defines the credentials used to perform the action

TargetUser:

  • Static Value - A fixed username can be provided directly to specify the user account to disable.
  • Properties - Supports dynamic selection of the user account from rule and event data (e.g., UserName field), enabling the action to target users identified in real time.

Host:

  • Static Value - A fixed host name or IP address can be set as the target system.
  • Properties - Allows dynamic selection of the host from rule and event information where the action will be executed.

CredentialsGUID:

  • Specifies the stored credentials used by CYBERQUEST to perform the action, selected from an available list.

16.WindowsActions.ENABLE_USER

This action enables a specific Windows user account on the target host, based on the following parameters:

  • TargetUser - Specifies the user account to be enabled
  • Host - Indicates the system where the user account will be enabled
  • CredentialsGUID - Defines the credentials used to perform the action

TargetUser:

  • Static Value - A fixed username can be provided directly to specify the user account to enable.
  • Properties - Supports dynamic selection of the user account from rule and event data (e.g., UserName field), enabling the action to target users identified in real time.

Host:

  • Static Value - A fixed host name or IP address can be set as the target system.
  • Properties - Allows dynamic selection of the host from rule and event information where the action will be executed.

CredentialsGUID:

  • Specifies the stored credentials used by CYBERQUEST to perform the action, selected from an available list.

17.WindowsActions.START_SERVICE

This action starts a specified Windows service on the target system, based on the following parameters:

  • TargetService - Identifies the service to be started
  • Host - Indicates the system where the service should be started
  • CredentialsGUID - Defines the credentials used to execute the action

TargetService:

  • Static Value - A specific service name can be provided directly (e.g., Spooler) to be started.
  • Properties - Allows dynamic identification of the service name using rule and event fields, enabling contextual response.

Host:

  • Static Value - A predefined hostname or IP address can be manually entered.
  • Properties - Allows dynamic selection of the host from rule and event information where the action will be executed.

CredentialsGUID:

  • Specifies which stored credentials from CYBERQUEST are used to start the service. The credentials are selected from a predefined list.

18.WindowsActions.STOP_SERVICE

This action stops a specified Windows service on the target system using the parameters below:

  • TargetService - Specifies the service to be stopped
  • Host - Indicates the system where the service is running
  • CredentialsGUID - Defines the credentials used to execute the action

TargetService:

  • Static Value - Enter the exact name of the service to be stopped (e.g., Spooler).
  • Properties - Dynamically determines the service name from event context fields, allowing context-aware service control.

Host:

  • Static Value - Manually specify a fixed host (hostname or IP).
  • Properties - Allows dynamic selection of the host from rule and event information where the action will be executed.

CredentialsGUID:

  • Selects the credential from the CYBERQUEST server to authorize the action. Credentials are chosen from a predefined list.

19.WindowsActions.RESTART_SERVICE

This action restarts a specific Windows service on a designated host, based on the following parameters:

  • TargetService - Defines the Windows service that will be restarted
  • Host - Specifies the system where the service restart will be executed
  • CredentialsGUID - Indicates the credentials used to authenticate and perform the action

TargetService:

  • Static Value - A fixed service name can be entered directly in the Static Value field to identify the service to restart.
  • Properties - Allows dynamic selection of the service name from a rule and event instance, making the action responsive to contextual event data.

Host:

  • Static Value - A specific host name can be entered directly to identify where the service will be restarted.
  • Properties - Dynamically retrieves the host from the rule or event data, targeting the system that triggered the alert.

CredentialsGUID:

  • Specifies which stored credentials from the CYBERQUEST server will be used to perform the operation. The appropriate credential (e.g., AgentWindows) is selected from a predefined list.