Step 10. Create and Assign Actions

For an introduction to Actions, see What are Actions?.

By default, the TLC installer creates two Tripwire-defined Actions:

An enabled Email ActionA type of ActionA TLC object that initiates a response to Correlated Events created by Correlation Rules. that sends an email notification to specified recipients. configured to send email alerts to the address entered for the Administrator account when TLC was installed.

A disabled Notification ActionA type of Action that creates a Notification in the Notifications dialog of the TLC Console1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data.. with no defined notifications.

In this step, you will configure these Actions and create your own. You will then assign an Action as an Output in a new Correlation RuleConstructed with a flowchart consisting of an Input, DecisionA component of a Correlation Rule, a Decision defines a condition that determines if the rule continues correlating a log message.(s), and Output(s), a CorrelationThe examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Rule correlates log messages to identify events of interest..

To configure the Tripwire-defined Email Action or Notification Action, or to create a new Action:

1.

In the side bar, select Resources >Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Assets, AssetAn object in TLC that represents a Log Source from which TLC collects log messages directly. Groups, Managers, Locations, Event1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source.-Management Databases), normalization objects (NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Rules, Aliases, and Normalized-Message Filters), and correlation objects (Correlation Engines, Rules, Lists, and Actions)..

2.

In the side bar of the Configuration Manager, select Correlation > Actions.

3.

To create an Action, clickCreate Action.

To edit an existing Action, double-click the Action in the workspace.

For further details, see Working with Actions.

To create a new Correlation Rule with one of your Actions as an Output:

1.

In the side bar, select Resources >Configuration Manager.

2.

In the side bar of the Configuration Manager, select Correlation >Rules.

3.

ClickCreate rule.

For further details, see Working with Correlation Rules.