Using the System Action Center

You use the System | Administration | System Action Center to create and manage rules that specify when system notifications are triggered and where they are sent. Triggered notifications always appear in the Notification Center, available under the icon in the main toolbar. You can also configure notifications to send emails to specified recipients, including both those defined in the System | Configurations | Recipients page and emails you specify on demand.

System notifications help you keep tabs on important system events in the following categories:

  • Case Management – Get notifications when cases are assigned, closed, escalated, created, updated, or have a score that meets or exceeds a specified threshold.

  • Connector Monitoring – Get notifications when specified connectors haven't sent data over a given time interval so you can address issues in real time.

  • Device Sensor Monitoring – Get notifications when device sensors are either offline or haven't sent data within a specified amount of time.

  • License Enforcement – Find out proactively when your license limits are approaching an undesirable state or have been exceeded.

  • License Usage – Get notifications when asset usage or ingestion usage exceeds specified thresholds.

Refer to Best Practices for the System Action Center for guidance on ways you can use the System Action Center effectively in your organization.

See the following sections for details on working with the System Action Center:

Required Privileges

The System Action Center is only available to accounts with both Root scope and the System | Administration | System Action Center privilege assigned to their profile in theSystem | Role-Based Access Control page. By default, this includes only the Super Admin role. The necessary privileges in the Role-Based Access Control page are shown below:

Working with the System Action Center Page

The System Action Center lists each of the defined system action rules in a standard Stellar Cyber table, as shown below.

The rules listed in the System Action Center are not affected by the Tenants filter in the main toolbar at the top of the display. All rules are shown.

System Action Center Fields

The System Action Center lists the defined notification rules with the following information:

  • Name – The name assigned to the rule when it was created.

  • Category – Rules are available in the following categories – Case Management, Connector Monitoring, Device Sensor Monitoring, License Enforcement, License Usage, .

  • Type – Each category of rule has multiple rule types available.

  • Description – Either the standard description of the rule provided by Stellar Cyber, or the description provided when the rule was created.

  • Creator – The user account that created the rule.

  • Status – Rules can be either Enabled or Disabled using the toggle in this column.

    Changes to a rule's status require a few minutes to take effect. During this time, for example, you may still receive notifications for a rule you have disabled.

    As described in About Built-In Rules, the built-in License Enforcement rules cannot be disabled.

  • Edit and Delete icons.

    As described in About Built-In Rules, the built-in rules cannot be deleted.

  • Clone – When you check a rule's box, a new Clone button appears that lets you make a copy of the selected rule for editing. This is useful when you want to create a new rule that is very similar to an existing rule.

In addition, the System Action Center supports standard Stellar Cyber table functionality:

  • Sort on column headers.

  • Click the "hamburger" menu available in a column header to add/remove columns or search a column.

  • Export the table in CSV format.

About Built-In Rules

The System Action Center lists both built-in rules and user-configured rules:

  • The built-in rules are as follows:

    Rule Category

    Built-In Rules
    License Enforcement

    • License in undesirable state

    • License limit exceeded
    License Usage

    • Asset Threshold Exceeded

    • Ingestion Threshold Exceeded

  • Built-in rules cannot be deleted. Because of this, they will not have a delete icon at the far right of their entry in the table, as is shown below for the first several rules.

  • Built-in rules can be edited (for example, if you want to add an email address for notifications for the rule).

  • The built-in License Monitoring rules can be disabled using the toggle in the Status column.

  • The built-in License Enforcement rules (License in undesirable state and License limit exceeded) cannot be disabled.

  • User-configured rules can be edited, deleted, and enabled/disabled. They always have the delete icon at the far right of their entry in the table.

Creating New System Notification Rules

You create a new system notification rule by clicking the Create button at the top of the System Action Center, selecting the category and type of rule you want to create from the menu that appears, and following the wizard's prompts. Alternatively, if you want to use an existing rule as a template for a new one, you can check the box for the source rule in the list and click the Clone button to create an editable copy.

Click the headings below for specific instructions on the type of rule you want to create:

Connector Monitoring rules notify you when specified connectors have not sent traffic over the time interval you configure. Use the following procedure to create a Connector Monitoring rule:

  1. Click the Create button at the top of the System Action Center and select Connector Monitoring | No data from connector(s) from the dropdown that appears.

    The Create Notification wizard starts with the Category set to Connector Monitoring and the Type set to No data from connector.

  2. Supply a name for your notification rule in the Name field.

  3. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  4. You can either accept the system-provided Description or supply your own. The description supplied here appears in the System Action Center's table of rules.

  5. Click Next.

  6. Use the Connector Type(s) field to specify the types of connectors for which this rule will report inactivity.

    By default, all connector types are selected. You can remove a specific connector type by clicking the x in its entry in the field. You can also click anywhere in the field to display a pick list (shown below) that lets you check the boxes for the connector types you want to include in the rule. The pick list also includes a Select All option that lets you add all connector types back to the list if, for example, you removed all of them using the x at the upper right of the Connector Type(s) field.

  7. The entries in the Connector Type(s) field are broad types of connectors and not specific connectors themselves. You use the Excluded Connector(s) field to exclude specific connectors from the types selected in the Connector Type(s) field from the inactivity rule. The Excluded Connector(s) pick list shows you just the specific connectors belonging to the Types that are part of the rule you are creating.

    For example, in the figure below, we have only selected the Active Directory connector type. As you can see, the Excluded Connector(s) pick list shows us all of the specific Active Directory connectors defined on the system. You can use the pick list to check the boxes of any specific connectors you want to exclude from inactivity notifications in this rule.

  8. Use the Interval fields to specify the time window for the rule. You may be concerned if some connectors have not sent data in a manner of minutes, while others may not give you cause for concern over a period of days. The Interval controls let you specify both the units (Minutes, Hours, or Days) and the size of the time window. For example, we have specified an interval of two hours in the figure below:

  9. Click Next when you are ready to continue.

  10. Use the Actions step to specify how this rule notifies you when it is triggered:

    • All rules have In Platform enabled so that triggered instances appear in the Notification Center.

    • You can also enable email notifications in the Notification Type: Email field.

      • Use the Recipients field to specify who will receive a notification email when the rule is triggered. Click to display a pick list containing all email recipients configured in the System | Configurations | Recipients page. If you want to send an email to someone who is not already configured in the Recipients page, you can type addresses in manually.

      • Use the Subject field to specify the subject line of the email. If you want to use different subject lines for different recipients, you can click the Add Configuration button and add a second Email notification with a different subject line and set of addressees.

      The figure below shows a configured email notification:

  11. Click Next and review the settings for your notification rule. Use the Back button to go back and correct anything that's not quite right. When you are satisfied, click Submit to add your rule to the list.

    The rule appears in the System Action Center's list and is automatically Enabled.

Device Sensor Monitoring rules help you monitor the health of your device sensors, notifying you when they are either offline or haven't sent data within a specified amount of time. You can create the following types of Device Sensor Monitoring rules:

  • No data from device sensor(s) – This rule is triggered when a sensor has not sent a record with traffic within a specified interval.

  • Device sensor(s) offline – This rule is triggered when Stellar Cyber has not received a heartbeat message from a sensor within a specified interval.

Notice that these rules are monitoring for different types of inactivity. When a No data from device sensor(s) notification is generated, Stellar Cyber may still have contact with the affected sensor but is not receiving records with traffic. In the case of the Device sensor(s) offline notification, Stellar Cyber is not receiving heartbeats from affected sensors and has not had contact within the specified monitoring interval.

For both rule types, you can also specify a Mute Interval that specifies a window within which a repeated instance of the same notification will not be generated.

. Use the following procedure to create a Device Sensor Monitoring rule:

  1. Click the Create button at the top of the System Action Center and select Device Sensor Monitoring from the dropdown that appears.

  2. Select either Device sensor(s) offline or No data from device sensor(s), depending on the type of rule you want to create. See the start of this section for a description of the two rule types.

    The Create Notification wizard starts with the Category set to License Enforcement and the Type set to the selected rule type.

  3. Supply a name for your notification rule in the Name field.

  4. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant) field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  5. You can either accept the system-provided Description or supply your own. The description supplied here appears in the System Action Center's table of rules.

  6. Click Next.

  7. Set Advanced options for the rule. The available options are the same for both Device Sensor Monitoring rule types but use different defaults:

    • Excluded Sensor(s) – Use this dropdown to exclude specified sensors from monitoring by this rule. The list includes all sensors available to the tenant selected in the first step of the wizard.

    • Interval – Use these options to specify the interval over which the rule runs.

    • Mute Interval – Use these options to temporarily silence notifications from the rule for a specified amount of time. Once the rule is triggered, no new notifications will be generated from the same rule until the Mute Interval has passed.

      During the Mute Interval, Stellar Cyber still monitors the rule for signs of activity from the sensor and restarts the monitoring interval if they are detected. A new alert is only generated when the Mute Interval passes if no activity has been seen during the monitoring interval.

    The image below shows the Advanced step for a No data from device sensor(s) rule:

    The defaults for these options are as follows for each of the Device Sensor Monitoring rules:

    Device Sensor Monitoring Rule Type

    Default Interval

    		 Default Mute Interval
    No data from device sensor(s) One hour Not set
    Device sensor(s) offline Four hours 24 hours

  8. Use the Actions step to specify how this rule notifies you when it is triggered:

    • All rules have In Platform enabled so that triggered instances appear in the Notification Center.

    • You can also enable email notifications in the Notification Type: Email field.

      • Use the Recipients field to specify who will receive a notification email when the rule is triggered. Click to display a pick list containing all email recipients configured in the System | Configurations | Recipients page. If you want to send an email to someone who is not already configured in the Recipients page, you can type addresses in manually.

      • Use the Subject field to specify the subject line of the email. If you want to use different subject lines for different recipients, you can click the Add Configuration button and add a second Email notification with a different subject line and set of addressees.

      The figure below shows a configured email notification:

  9. Click Next and review the settings for your notification rule. Use the Back button to go back and correct anything that's not quite right. When you are satisfied, click Submit to add your rule to the list.

    The rule appears in the System Action Center's list and is automatically Enabled.

License Enforcement rules notify you about issues regarding your licenses. You can create the following types of License Enforcement rules:

  • License in undesirable state – This rule is triggered when your license enters the warning, violation, or out-of-compliance state. Refer to .Understanding License Compliance for details on each of these license states.

  • License limit exceeded – This rule is triggered when your license is exceeded on a given day, but remains below the 110% of usage that would put it in a warning state.

The system includes built-in License in undesirable state and License limit exceeded rules that can be neither disabled nor deleted. You can edit those rules to change who is notified by them or, alternatively, you can create additional License Enforcement rules using the procedure below to notify different sets of people with different emails.

. Use the following procedure to create a License Enforcement rule:

  1. Click the Create button at the top of the System Action Center and select License Enforcement from the dropdown that appears.

  2. Select either License in undesirable state or License limit exceeded, depending on the type of rule you want to create. See the start of this section for a description of the two rule types.

    The Create Notification wizard starts with the Category set to License Enforcement and the Type set to the selected rule type.

  3. Supply a name for your notification rule in the Name field.

  4. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  5. You can either accept the system-provided Description or supply your own. The description supplied here appears in the System Action Center's table of rules.

  6. Click Next.

  7. Use the Actions step to specify how this rule notifies you when it is triggered:

    • All rules have In Platform enabled so that triggered instances appear in the Notification Center.

    • You can also enable email notifications in the Notification Type: Email field.

      • Use the Recipients field to specify who will receive a notification email when the rule is triggered. Click to display a pick list containing all email recipients configured in the System | Configurations | Recipients page. If you want to send an email to someone who is not already configured in the Recipients page, you can type addresses in manually.

      • Use the Subject field to specify the subject line of the email. If you want to use different subject lines for different recipients, you can click the Add Configuration button and add a second Email notification with a different subject line and set of addressees.

      The figure below shows a configured email notification:

  8. Click Next and review the settings for your notification rule. Use the Back button to go back and correct anything that's not quite right. When you are satisfied, click Submit to add your rule to the list.

    The rule appears in the System Action Center's list and is automatically Enabled.

License Usage rules notify you about issues regarding your licenses. You can create the following types of License Enforcement rules:

  • Asset threshold exceeded – This rule is triggered when your license's asset threshold is exceeded on a given day.

  • Ingestion threshold exceeded – This rule is triggered when your license's volume-based threshold is exceeded on a given day.

The system includes built-in Asset threshold exceeded and Ingestion threshold exceeded rules that cannot be deleted. You can disable these rules or edit them to change who is notified by them. Alternatively, you can create additional License Usage rules using the procedure below to notify different sets of people with different emails.

. Use the following procedure to create a License Usage rule:

  1. Click the Create button at the top of the System Action Center and select License Usage from the dropdown that appears.

  2. Select either Asset threshold exceeded or Ingestion threshold exceeded, depending on the type of rule you want to create. See the start of this section for a description of the two rule types.

    The Create Notification wizard starts with the Category set to License Usage and the Type set to the selected rule type.

  3. Supply a name for your notification rule in the Name field.

  4. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  5. You can either accept the system-provided Description or supply your own. The description supplied here appears in the System Action Center's table of rules.

  6. Click Next.

  7. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  8. Use the Threshold field to specify by how much the asset or ingestion threshold must be exceeded in order for this rule to be triggered:

    • Asset threshold exceeded – The threshold specifies the number of assets above the allowed threshold at which this notification is triggered.

    • Ingestion threshold exceeded – The threshold specifies the number of GB above the allowed threshold at which this notification is triggered.

  9. Click Next.

  10. Use the Actions step to specify how this rule notifies you when it is triggered:

    • All rules have In Platform enabled so that triggered instances appear in the Notification Center.

    • You can also enable email notifications in the Notification Type: Email field.

      • Use the Recipients field to specify who will receive a notification email when the rule is triggered. Click to display a pick list containing all email recipients configured in the System | Configurations | Recipients page. If you want to send an email to someone who is not already configured in the Recipients page, you can type addresses in manually.

      • Use the Subject field to specify the subject line of the email. If you want to use different subject lines for different recipients, you can click the Add Configuration button and add a second Email notification with a different subject line and set of addressees.

      The figure below shows a configured email notification:

  11. Click Next and review the settings for your notification rule. Use the Back button to go back and correct anything that's not quite right. When you are satisfied, click Submit to add your rule to the list.

    The rule appears in the System Action Center's list and is automatically Enabled.