Custom actions for CRE responses
You can add your own script that runs as a part of a custom action when a custom rules engine (CRE) rule is triggered.
The following scripting languages are supported:
- Bash version 4.1.2
- Perl version 5.10.1
- Python version 2.7.9
You can use base libraries in these languages to do custom operations that use data that is passed directly from the event that triggered the rule.
Create custom actions by using the Define Actions window on the Admin tab. You can also create custom actions by using the /api/analytics/custom_actions REST endpoints. The following sample is an example of a custom action JSON file that the GET /api/analytics/custom_actions/actions endpoint returns.
{
"id": 1004,
"interpreter": 1,
"description": "Custom action containing two parameters",
"name": "custom_action_1",
"script": 43,
"parameters": [
{
"encrypted": false,
"name": "fixedParam",
"value": "Hello World!",
"parameter_type": "fixed"
},
{
"encrypted": false,
"name": "dynamicParam",
"value": "sourceip",
"parameter_type": "dynamic"
}
]
}The two JSON objects that are contained within the parameters field represent parameters, which are passed to your script when it is run. Two types of parameters are supported:
- Fixed parameters represent fixed values that are passed to your script as is. For example, if the fixedParam parameter has a value of "Hello World!" when accessed from your script, this parameter returns the value "Hello World!".
- Dynamic parameters and their corresponding value fields represent properties that are extracted from the event that triggered the CRE rule. For example, if the dynamicParam parameter has a value of "sourceip" when passed to your script, this value is replaced with the corresponding source IP address that is contained within the rule that triggers the event.
Parameters are passed to scripts in the order that they are defined within the custom action. These parameters can then be accessed by using the supported methods for each language:
Bash
param1=$1 # First parameter
param2=$2 # Second parameterPerl
$param1 = $ARGV [ 0 ]
$param2 = $ARGV [ 1 ]Python
import sys
param1 = sys.argv[1]
param2 = sys.argv[2]Example: Making a REST call to an external server
To write a script that makes a REST call to an external server when a rule is triggered, create a script that passes the IP address to the external server. The following JSON file is an example custom action:
{"id": 1004,
"interpreter": 1,
"description": "Custom action containing two parameters",
"name": "custom_action_1",
"script": 43,
"parameters": [
{
"encrypted": false,
"name": "serverIP",
"value": "10.100.78.11",
"parameter_type": "fixed"
},
{
"encrypted": false,
"name": "username",
"value": "admin",
"parameter_type": "dynamic"
},
{"encrypted": true,
"name": "password",
"value": "ASDB231434DKSD#@SDA23SDD1",
"parameter_type": "dynamic"
},
{
"encrypted": false,
"name": "offendingIP",
"value": "sourceip",
"parameter_type": "dynamic"
}
]
}The following Bash script uses these parameters to pass the IP address to an external server.
#!/bin/bash
# Assign parameters to variables.
serverAddress=$1
username=$2
password=$3
offendingIP=$4
# Call to an external server REST endpoint using the supplied parameters.
curl -u $username: $password -i -H "Accept: application/json" -X POST
-d "ip= $offendingIP" "https://" $serverAddress/some_service