Set rule stage actions

Purpose: Configure action by rule stage to send alerts.
Check the List: Ensure actions for rule stages are configured.
Why Important: Alerts will be sent based on the actions you configure.

Quick Guide:

Detailed Guide:

Overview

Mobula offers a wide range of content that caters to the needs of information protection and network security. A staging mechanism has been established to control these capabilities effectively. The primary purpose of this mechanism is to categorize various modes of operations into stages that facilitate ease of use, expand or reduce monitoring capabilities, reduce false positives, and more.

With the Staging module, the SOC Manager or Information Security Manager can define rules that trigger specific actions such as sending an email, transferring to SOAR or MOBULA application, among others. Alternatively, rules can transition from an action-creating state to a state used for collecting events targeted toward lateral network views. Stages can be set to either Rule or Entity based on specific needs.

Actions

ESM

Follow the path to configure an action by rule stage for your entities.

Our suggestion is to configure an “Active” and “Audit” stages to be sent to entities email, after you verified that there is a low number of alerts to avoid spamming your entity.

Follow the steps to configure the “Active” and “Audit” rules stages to take the necessary action.

/All Active Lists/Mobula Administration/Rule Actions/Actions Lists/1. Customer Actions (MSSP)/Customer Rule Actions By Stage

In “Viewer” tab top right side click on “+”
Add the information:
1. Customer: Choose the entity.
2. Stage: Set the rule stage you want to make an action on. (See Available stages)
3. ActionID: Where to send the alerts to. (Check Available Action ID’s)
4. Click Add to save.

Available stages

Active
Audit

Full stages list

Available Action ID’s

MOBDB - Send alerts to Mobula application
MMAIL - Send alerts to Mail
ARCSO - Send alerts to arcsight soar
MOAPP - Send push notifications to Mobula application users.

App MPM

Log into your Mobula Platform Management (MPM) application and follow the steps to configure an action-by-rule stage for your entities.

Our suggestion is to configure an “Active” and “AuditAlert” stages to be sent to entities email, after you verified that there is a low number of alerts to avoid spamming your entity.

Following the steps to configure “Active” and “Audit” rules stages to take the necessary action.

Navigate to “Entities” from the options menu (Top left corner)
Choose an entity.
Scroll down to “Related Platform Action By Stages” and click “Add”

4. Choose stage “Active”, “Audit”, Etc... you can find the full stage list here.

5. Choose an action and click save.

Available Actions:

Mobula DB - will send alerts to Mobula application to be viewed there
Mobula Mail Service - will send alerts to entities mailboxes that you configured.
Arcsight SOAR - will send alerts to the soar (Only for ArcSight soar)
Mobula App - will send push notifications to application users.

Recommendations

Our suggestion is to configure an “Active” and “Audit” stages to be sent to entities email, after you verified that there is a low number of alerts to avoid spamming your entity.
Verify Email addresses configured.

Risks

If not configured correctly your entities will not get alerts by email/application.

References

Page updated

Report abuse