Using the System Action Center

You use System | System Action Center to create and manage rules that specify when system notifications are triggered and where they are sent. Triggered notifications always appear in the Notification Center, available under the in the main toolbar. You can also configure notifications with both email and Slack actions to send messages to specified recipients, including both those defined in the System | Recipients page and those you specify manually on demand.

System notifications help you keep tabs on important system events in the following categories:

  • Case Management – Get notifications when cases are assigned, closed, escalated, created, updated, or have a score that meets or exceeds a specified threshold.

  • Cluster Health – Find out proactively when either the Data Analyzer (DA) or Data Lake (DL) cluster's health is in the red state.

  • Connector Monitoring – Get notifications when specified connectors haven't sent data over a given time interval so you can address issues in real time.

  • Data Storage Capacity – Find out when your data storage is reaching either its soft or hard cap.

  • Device Sensor Monitoring – Get notifications for different device sensor health issues (for example, no data or heartbeats).

  • Disk Capacity – Get notified when root disk usage is reaching its limit.

  • NFS Data Sink Capacity – Get notifications when an NFS Data Sink's storage is reaching either its soft or hard cap.

The following additional system notifications are available as part of an Early Access Program and may not be available in your version of the Stellar Cyber Platform. Contact your account manager to inquire about taking part in an Early Access Program.

  • Scheduled Report Monitoring – Get notifications when a scheduled report fails.

  • Server Sensor Monitoring – Get notifications when server sensors experience a change in status, stop sending data, or stop sending heartbeats.

  • User Modifications – Get notifications for a wide variety of events related to user accounts and RBAC policies.

Refer to Best Practices for the System Action Center for guidance on ways you can use the System Action Center effectively in your organization.

See the following sections for details on working with the System Action Center:

Required Privileges

The System Action Center is only available to accounts with both Root scope and the System | System Action Center privilege assigned to their profile in System | Role-Based Access Control. By default, this includes only the Super Admin role. The necessary privileges in the Role-Based Access Control page are shown below:

Working with the System Action Center Page

The System Action Center lists each of the defined system action rules in a standard Stellar Cyber table, as shown below.

The rules listed in the System Action Center are not affected by the Tenants filter in the main toolbar at the top of the display. All rules are shown.

Available System Action Rules

The table below summarizes the available System Action Rules. Further details on each rule type are provided later in the topic.

Some of the rules in the table are only available as part of an Early Access Program and may not appear in your version of the Stellar Cyber Platform. Contact your account manager to inquire about taking part in an Early Access Program.

Category

Name

Description

Default

Case Management Case assigned Notify user a case has been assigned to them. Disabled
Case Management Case closed Notify user that a case has been closed. Disabled
Case Management Case escalated Notify user that a case has been escalated. Disabled
Case Management Case meets threshold Notify users a case has met a desired notification threshold. Disabled
Case Management Case updated Notify user that a case has been updated to 'In Progress' status. Enabled
Case Management New case created Notify users of a new case has been created. Disabled
Connector Monitoring No data from connector(s) Get notified when any connector doesn't send data within a set amount of time. Enabled
Connector Monitoring Connector status change Get notified when the health status of any connector changes from healthy to unhealthy. Enabled
Device Sensor Monitoring No heartbeat from device sensor(s) Get notified when any device sensor doesn't send heartbeat within a set amount of time. Disabled
Device Sensor Monitoring No data from device sensor(s) Get notified when any device sensor doesn't send data within a set amount of time. Disabled
Device Sensor Monitoring Device sensor ingestion change Get notified when any device sensor ingestion changes unexpectedly. Disabled
Device Sensor Monitoring Device sensor status change Get notified when the health status of any device sensor changes to unhealthy. Disabled
Device Sensor Monitoring Device sensor feedback Get notified when any Device sensor sends a supported feedback message (for example, when a sensor has been upgraded). Disabled
Scheduled Report Monitoring Scheduled report failed Get notified whenever a scheduled report fails to execute successfully. Disabled
Server Sensor Monitoring No data from server sensor(s) Get notified when any server sensor doesn't send data within a set amount of time. Disabled
Server Sensor Monitoring No heartbeat from server sensor(s) Get notified when any server sensor doesn't send heartbeat within a set amount of time. Disabled
Server Sensor Monitoring Server sensor status change Get notified when the health status of any server sensor changes to unhealthy. Disabled
User Modifications Account lockout triggered Get notified whenever any user's account is locked due to login failures. Disabled
User Modifications Account password change Get notified whenever any password policy is changed. Disabled
User Modifications New RBAC profile created Get notified whenever a new RBAC profile is created. Disabled
User Modifications New user created Get notified when a new user is created. Disabled
User Modifications RBAC profile deleted Get notified whenever an RBAC profile is deleted. Disabled
User Modifications User RBAC privilege escalation Get notified whenever a user's privilege profile is escalated. Disabled
User Modifications User deleted Get notified when a user is deleted from the platform. Disabled
User Modifications User has disabled 2FA Get notified whenever a user disabled 2FA. Disabled

System Action Center Fields

The System Action Center lists the defined notification rules with the following information:

  • Name – The name assigned to the rule when it was created.

  • Category – Rules are available in the following categories – Case Management, Cluster Health, Connector Monitoring, Device Sensor Monitoring, Data Storage Capacity, Disk Capacity, NFS Data Sink Capacity, Scheduled Report Monitoring, Server Sensor Monitoring, and User Modifications.

  • Type – Each category of rule has multiple rule types available.

  • Tenant – The tenant to whom the notification rule belongs.

  • Description – Either the standard description of the rule provided by Stellar Cyber, or the description provided when the rule was created.

  • Creator – The user account that created the rule.

  • Status – Rules can be either Enabled or Disabled using the toggle in this column.

    Changes to a rule's status require a few minutes to take effect. During this time, for example, you may still receive notifications for a rule you have disabled.

  • Edit and Delete icons.

  • Clone – When you check a rule's box, a new Clone button appears that lets you make a copy of the selected rule for editing. This is useful when you want to create a new rule that is very similar to an existing rule.

    When you clone a Case Management rule, Stellar Cyber automatically disables the Send to case assignee option to help prevent duplicate emails.

In addition, the System Action Center supports standard Stellar Cyber table functionality:

  • Sort on column headers.

  • Click the "hamburger" menu available in a column header to pin, autosize, or reset columns.

  • Use the collapsible Filters tab to control what's displayed in the table.

  • Use the collapsible Columns tab to add/remove columns from the table.

  • Export the table in CSV format.

Creating New System Notification Rules

You create a new system notification rule by clicking the Create button at the top of the System Action Center, selecting the category and type of rule you want to create from the menu that appears, and following the wizard's prompts. Alternatively, if you want to use an existing rule as a template for a new one, you can check the box for the source rule in the list and click the Clone button to create an editable copy.

Click the headings below for specific instructions on the type of rule you want to create:

About System Notification Actions

When you create a new system notification rule using the instructions in the sections below, you always have the option of configuring actions for the rule. The System Action Center supports the following action types:

  • Email – Email actions send emails to specified recipients, including both those defined in the System | Recipients page and those you type into the wizard manually.

  • Slack – Slack actions send Slack messages to specified channels or recipients using the URL for an incoming webhook that you create in the Slack API. You can select a Slack recipient defined in the System | Recipients page or type in the URL for the incoming webhook manually.

Email and Slack messages both include a summary of the event that triggered the notification and a link back to the Stellar Cyber platform to a location that makes sense based on the type of notification that was generated. You can configure a rule with any combination of email and Slack messages, including multiple destinations.

In addition to performing any custom actions you configure, triggered notifications also always appear in the Notification Center, available under the icon in the main toolbar.

The contents of email and Slack messages are not yet configurable.

Creating a Case Management Notification Rule

Case Management rules notify you when specified case-related events take place. You can create rules that notify you when the following events related to cases take place:

  • Case assigned

  • Case closed

  • Case escalated

  • Case meets threshold

  • Case updated

  • New case created

The mechanics for creating a case management notification rule are mostly the same regardless of the specific type of rule you are creating. The differences are summarized in the procedure below:

  1. Click the Create button at the top of the System Action Center and select Case Management from the dropdown that appears.

  2. Select the type of Case Management notification rule you want to create.

    The Create Notification wizard starts with the Category set to Case Management and the Type set to the rule type you selected.

  3. Supply a name for your notification rule in the Name field.

  4. Select the Tenant to which the rule applies. By default, All Tenants are selected. Click anywhere in the Tenant field to display a pick list including all tenants available on the system where you can select the tenant to which this rule applies.

  5. You can either accept the system-provided Description or supply your own. The description supplied here appears in the System Action Center's table of rules.

  6. Click Next.

  7. Use the Advanced step to specify details related to the type of case management rule you selected. The options are different for each rule type and are summarized in the table below:

    Case Management Rule Type

    Description

    Configuration Options
    Case assigned

    Generates a notification when a case's Assigned to field in the Case Details page changes.

    Check the Send to case assignee box to send an email notification to the case's assignee. This email is sent in addition to any other email or Slack actions you specify in the Actions step.
    Case closed

    Generates a notification when a case's Status is changed to Resolved in the in the Case Details page.

    Case escalated

    Generates a notification when a case's Status is changed to Escalatedin the in the Case Details page.

    Case meets threshold

    Generates a notification when a case's score meets a threshold you specify.

    Use the Score Threshold option to specify the case score at which this notification is generated.
    Case updated

    Generates a notification any time an update is made to a case.

    Check the Send to case assignee box to send an email notification to the case's assignee. This email is sent in addition to any other email or Slack actions you specify in the Actions step.

    New case created

    Generates a notification when a new case is created.

    Use the Score Threshold option to set a minimum score threshold at which new case notifications generate notifications. This lets you tune the noise level for the rule; a higher minimum threshold generates fewer notifications.
  8. Click Next when you are ready to continue.

  9. Use the Actions step to specify how this rule notifies you when it is triggered:

    • All rules have In Platform enabled so that triggered instances appear in the Notification Center.

    • Click the Add Configuration button and choose whether to add an Email or Slack action, as illustrated below.

      The system only lets you add a Slack action if you have already added a publicly accessible domain in the System | Settings page.

    • Set the following options for an Email action in the Notification Type: Email section:

      • Use the Recipients field to specify who will receive a notification email when the rule is triggered. Click to display a pick list containing all email recipients configured in the System | Recipients page. If you want to send an email to someone who is not already configured in the Recipients page, you can also type addresses in manually.

      • Use the Subject field to specify the subject line of the email. If you want to use different subject lines for different recipients, you can click the Add Configuration button and add a second Email notification with a different subject line and set of addressees.

      The figure below shows a configured Email notification:

    • Set the following options for a Slack action in the Notification Type: Slack section:

      • Use the Recipients field to specify the Slack channel or user that will receive a message when the rule is triggered.

        You can click to display a pick list containing all Slack recipients configured in the System | Recipients page. You can also manually type in the URL for an incoming webhook that you create in the Slack API.

      The system only lets you add a Slack action if you have already added a publicly accessible domain in the System | Settings page.

      The figure below shows a configured Slack notification:

      Email and Slack messages both include a summary of the event that triggered the notification and a link back to the Stellar Cyber platform to a location that makes sense based on the type of notification that was generated. You can configure a rule with any combination of email and Slack messages, including multiple destinations.

  10. Click Next and review the settings for your notification rule. Use the Back button to go back and correct anything that's not quite right. When you are satisfied, click Submit to add your rule to the list.

    The rule appears in the System Action Center's list and is automatically Enabled.

Links in Case Notification Emails

Notification emails sent from the System Action Center for Case Management events include a link to the case in the user interface. Refer to Ensuring that Links In System Action Center Emails Work Correctly for important configuration instructions to ensure that these links work correctly.

Preventing Duplicate Case Notification Emails

If you configure multiple Case assigned rules, you can prevent duplicate emails by make sure that only one of them has the Send to case assignee option enabled. Stellar Cyber helps you with this by disabling the option in cloned Case Management rules.

 

Ensuring that Links In System Action Center Emails Work Correctly

Notification emails sent from the System Action Center for Case Management events include a link to the corresponding case in the user interface. In order for these links to work correctly, you must specify the Stellar Cyber DP's publicly accessible IP address in either the CLI or using the Publicly Accessible Authority option in the Global Settings section of the System | Settings page.

You must also configure a Publicly Accessible Authority in order to be able to configure Slack actions. The Create Notification wizard will not let you configure a Slack action until you do so.

Using the System | Settings Page

  1. Navigate to the System | Settings page and scroll down to Global Settings.

  2. Enter the public IP address of the Stellar Cyber DP in the Publicly Accessible Authority field. This is the same IP address users enter in their browser to access the Stellar Cyber user interface. You only need to enter the IP address. For example:

  3. Click Submit to apply your settings.