Response Component

The response component does not have the boolean logic concept. It is simply a list of actions to take when the Detection component matches.

The action type is specified in the action parameter. Possible actions are as follows.

task

This action sends the task (as described here) in the command parameter to the sensor from which the event under evaluation is from.

Example:

{ "action": "task", "command": "history_dump" }

report

report reports the match as a detection. This means that the content of this event will be bubbled up to the Detection Output stream. Think of it as an alert. It takes a name parameter that will be used as a detection category and a publish parameter that when set to false means the report won't be published to the Output stream.

This last distinction about the publish parameter is important because the detections created by the report action feed back into the D&R rules so that more complex rules can handle more complex evaluations of those. Setting the publish to false means that this detection is only used as an intermediary and should not be reported. When fed back, the event_type is set to _DETECTIONNAME.

add tag, remove tag

These two actions associate and disassociate the tag found in the tag parameter for the given sensor. The "add tag" operation can also optionally take a "ttl" parameter that is a number of seconds the tag should remain applied to the agent.

Example:

{ "action": "add tag", "tag": "vip", "ttl": 30 }