This document will detail how you can set up a Real Time Response to a Subscribed Event.

Subscribe to Event

The first step is to actually subscribe to an event that you are alerting on from you SIEM / Monitoring technology.

  • Log into your CyberRiskAware portal I.E {company-name}
  • Navigate to Real-Time Integrations -> Real-Time Response Events

  • Click the button Create Real-Time Response Event

  • In the form that is presented:
    •  select the Trigger Type you are interested in. This should tie to the monitoring technology that you are using.
    • For the Event Name, it is important that you provide the exact name of the alert from your monitoring technology. This is the link between the actual alert and the subscription that is being created.
    • Finally, ensure Active field is set to Yes.

  • Click Save

Associating an Automated Response to the subscription

  • After creating the Real-Time Response Event you will be presented with a grid of the created Event Subscriptions.
  • To the right of the record you have just created, select the details button and then Action List.

  • Click the button Create Real-Time Response Action

  • In the form that is presented:
    • Select the appropriate Action Type
      • Training - Will generate a Training Campaign for the user that triggered the action.
      • Organization Message - Will email the user a pre-configured email message.
    • Action Level:
      • Trigger Once - Will only perform the action for the initial time the event is triggered.
      • Trigger after N events - Will trigger after the alert has reached the threshold.
      • Trigger Always - Will perform the action after every time the alert has been triggered.
    • Trigger On
      • Here you can specify a particular day or days of the week, month(s) of the year that the event subscription is active on. For example, if we set this similar to the following:

This would only apply the action if the event occurs on the 10th or 23rd of a month. 

  • Suppression Period
    • The suppression period dictates how long of a cooling off period should be applied before listening for the next event. Any event that occurs within the suppression period will not be counted. The default here is 0 minutes (No suppression period). This period can be useful if events are being triggered in duplicate by the SIEM or monitoring tool. 
  • Depending on the Action type that has been selected, the form will dynamically update. 
    • If you have selected Training, you will need to select the actual training item to be sent out as well as a name for the campaign.
    • If you select Organization Message, you will need to select and preview the Organization Message you wish to send out.
  • Click Save Event Action.

This will effectiviley create a subscription to a Real Time event and associate an Action.