Using the System Action Center

You use the System | Administration | System Action Center to create and manage rules that specify when system notifications are triggered and where they are sent. Triggered notifications always appear in the Notification Center, available under the icon in the main toolbar. You can also configure notifications to send emails to specified recipients, including both those defined in the System | Configurations | Recipients page and emails you specify on demand.

System notifications help you keep tabs on important system events in the following categories:

  • Case Management – Get notifications when cases are assigned, closed, escalated, created, updated, or have a score that meets or exceeds a specified threshold.

  • Connector Monitoring – Get notifications when specified connectors haven't sent data over a given time interval so you can address issues in real time.

  • Device Sensor Monitoring – Get notifications when device sensors are either offline or haven't sent data within a specified amount of time.

  • License Enforcement – Find out proactively when your license limits are approaching an undesirable state or have been exceeded.

  • License Usage – Get notifications when asset usage or ingestion usage exceeds specified thresholds.

Refer to Best Practices for the System Action Center for guidance on ways you can use the System Action Center effectively in your organization.

See the following sections for details on working with the System Action Center:

Required Privileges

The System Action Center is only available to accounts with both Root scope and the System | Administration | System Action Center privilege assigned to their profile in theSystem | Role-Based Access Control page. By default, this includes only the Super Admin role. The necessary privileges in the Role-Based Access Control page are shown below:

Working with the System Action Center Page

The System Action Center lists each of the defined system action rules in a standard Stellar Cyber table, as shown below.

The rules listed in the System Action Center are not affected by the Tenants filter in the main toolbar at the top of the display. All rules are shown.

System Action Center Fields

The System Action Center lists the defined notification rules with the following information:

  • Name – The name assigned to the rule when it was created.

  • Category – Rules are available in the following categories – Case Management, Connector Monitoring, Device Sensor Monitoring, License Enforcement, License Usage, .

  • Type – Each category of rule has multiple rule types available.

  • Description – Either the standard description of the rule provided by Stellar Cyber, or the description provided when the rule was created.

  • Creator – The user account that created the rule.

  • Status – Rules can be either Enabled or Disabled using the toggle in this column.

    Changes to a rule's status require a few minutes to take effect. During this time, for example, you may still receive notifications for a rule you have disabled.

    As described in About Built-In Rules, the built-in License Enforcement rules cannot be disabled.

  • Edit and Delete icons.

    As described in About Built-In Rules, the built-in rules cannot be deleted.

  • Clone – When you check a rule's box, a new Clone button appears that lets you make a copy of the selected rule for editing. This is useful when you want to create a new rule that is very similar to an existing rule.

In addition, the System Action Center supports standard Stellar Cyber table functionality:

  • Sort on column headers.

  • Click the "hamburger" menu available in a column header to add/remove columns or search a column.

  • Export the table in CSV format.

About Built-In Rules

The System Action Center lists both built-in rules and user-configured rules:

  • The built-in rules are as follows:

    Rule Category

    Built-In Rules

    License Enforcement
    • License in undesirable state

    • License limit exceeded

    License Usage
    • Asset Threshold Exceeded

    • Ingestion Threshold Exceeded

  • Built-in rules cannot be deleted. Because of this, they will not have a delete icon at the far right of their entry in the table, as is shown below for the first several rules.

  • Built-in rules can be edited (for example, if you want to add an email address for notifications for the rule).

  • The built-in License Monitoring rules can be disabled using the toggle in the Status column.

  • The built-in License Enforcement rules (License in undesirable state and License limit exceeded) cannot be disabled.

  • User-configured rules can be edited, deleted, and enabled/disabled. They always have the delete icon at the far right of their entry in the table.

Creating New System Notification Rules

You create a new system notification rule by clicking the Create button at the top of the System Action Center, selecting the category and type of rule you want to create from the menu that appears, and following the wizard's prompts. Alternatively, if you want to use an existing rule as a template for a new one, you can check the box for the source rule in the list and click the Clone button to create an editable copy.

Click the headings below for specific instructions on the type of rule you want to create:

Creating a Case Management Notification Rule

Case Management rules notify you when specified case-related events take place. You can create rules that notify you when the following events related to cases take place:

  • Case assigned

  • Case closed

  • Case escalated

  • Case meets threshold

  • Case updated

  • New case created

The mechanics for creating a case management notification rule are mostly the same regardless of the specific type of rule you are creating. The differences are summarized in the procedure below:

  1. Click the Create button at the top of the System Action Center and select Case Management from the dropdown that appears.

  2. Select the type of Case Management notification rule you want to create.

    The Create Notification wizard starts with the Category set to Case Management and the Type set to the rule type you selected.

  3. Supply a name for your notification rule in the Name field.

  4. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  5. You can either accept the system-provided Description or supply your own. The description supplied here appears in the System Action Center's table of rules.

  6. Click Next.

  7. Use the Advanced step to specify details related to the type of case management rule you selected. The options are different for each rule type and are summarized in the table below:

    Case Management Rule Type

    Description

    Configuration Options
    Case assigned

    Generates a notification when a case's Assigned to field in the Case Details page changes.

    Check the Send to case assignee box to send an email notification to the case's assignee in addition to any other email addresses you specify in the Actions step.
    Case closed

    Generates a notification when a case's Status is changed to Resolved in the in the Case Details page.

    Case escalated

    Generates a notification when a case's Status is changed to Escalatedin the in the Case Details page.

    Case meets threshold

    Generates a notification when a case's score meets a threshold you specify.

    Use the Score Threshold option to specify the case score at which this notification is generated.
    Case updated

    Generates a notification any time an update is made to a case.

    Check the Send to case assignee box to send an email notification to the case's assignee in addition to any other email addresses you specify in the Actions step.
    New case created

    Generates a notification when a new case is created.

    Use the Score Threshold option to set a minimum score threshold at which new case notifications generate notifications. This lets you tune the noise level for the rule; a higher minimum threshold generates fewer notifications.
  8. Click Next when you are ready to continue.

  9. Use the Actions step to specify how this rule notifies you when it is triggered:

    • All rules have In Platform enabled so that triggered instances appear in the Notification Center.

    • You can also enable email notifications in the Notification Type: Email field.

      • Use the Recipients field to specify who will receive a notification email when the rule is triggered. Click to display a pick list containing all email recipients configured in the System | Configurations | Recipients page. If you want to send an email to someone who is not already configured in the Recipients page, you can type addresses in manually.

      • Use the Subject field to specify the subject line of the email. If you want to use different subject lines for different recipients, you can click the Add Configuration button and add a second Email notification with a different subject line and set of addressees.

      The figure below shows a configured email notification:

  10. Click Next and review the settings for your notification rule. Use the Back button to go back and correct anything that's not quite right. When you are satisfied, click Submit to add your rule to the list.

    The rule appears in the System Action Center's list and is automatically Enabled.

Links in Case Notification Emails

Notification emails sent from the System Action Center for Case Management events include a link to the case in the user interface. Refer to Ensuring that Links In System Action Center Emails Work Correctly for important configuration instructions to ensure that these links work correctly.

Preventing Duplicate Case Notification Emails

If you configure multiple Case assigned rules, you can prevent duplicate emails by make sure that only one of them has the Send to case assignee option enabled. Stellar Cyber helps you with this by disabling the option in cloned Case Management rules.

Ensuring that Links In System Action Center Emails Work Correctly

Notification emails sent from the System Action Center for Case Management events include a link to the corresponding case in the user interface. In order for these links to work correctly, you must specify the Stellar Cyber DP's publicly accessible IP address using the Publicly Accessible Authority option in the Global Settings section of the System | Settings page.

Using the System | Settings Page

  1. Navigate to the System | Settings page and scroll down to Global Settings.

  2. Enter the public IP address of the Stellar Cyber DP in the Publicly Accessible Authority field. This is the same IP address users enter in their browser to access the Stellar Cyber user interface. You only need to enter the IP address. For example:

  3. Click Submit to apply your settings.