Alert Actions

Tenable Security Center automatically performs alert actions when an alert triggers. You can configure the following types of alert actions:

Tip: Use email alerts to interface with third-party ticketing systems by adding variables in the message option.

For more information, see Alerts.

Assign Ticket

When the alert triggers, Tenable Security Center creates a ticket and assigns the ticket to a user. For more information, see Tickets.

Option

Description

Default

Name

(Required) The name of the ticket.

Ticket opened by alert

Description

A description for the ticket.

--

Assignee

(Required) The user who receives the ticket.

--

Email

When the alert triggers, Tenable Security Center sends an email.

Option

Description

Default

Email

Subject

The alert email subject line.

Email Alert

Message

The body of the email message. You can include the following variables to customize the email:

  • Alert ID — Designated with the variable: %alertID%, this specifies the unique identification number assigned to the alert by Tenable Security Center.

  • Alert name — Designated with the variable: %alertName%, this specifies the name assigned to the alert (for example, “Test email alert”).

  • Trigger Name — Designated with the variable: %triggerName%, this specifies if the trigger is IP address count, Vulnerability count, or Port count.

  • Trigger Operator — Designated with the variable: %triggerOperator%, this specifies the operator used for the count: >=, =, >= or !=

  • Trigger value — Designated with the variable: %triggerValue%, this specifies the specific threshold value set that triggers the alert.

  • Calculated value — Designated with the variable: %calculatedValue%, this specifies the actual value that triggered the alert.

  • Alert Name — Designated with the variable: %alertName%, this specifies the name given to the alert within Tenable Security Center.

  • Alert owner — Designated with the variable: %owner%, this specifies the user that created the alert.

  • Tenable Security Center URL — Designated with the variable: %url%, this specifies the URL that you use to access Tenable Security Center. This is useful where the URL that users use to access Tenable Security Center differs from the URL known by Tenable Security Center.

The following sample email alert contains some of these keywords embedded into an HTML email:

Alert <strong>%alertName%</strong> (id #%alertID%) has triggered.

 

<strong>Alert Definition:</strong> %triggerName% %triggerOperator% %triggerValue%

<strong>Calculated Value:</strong> %calculatedValue%

 

Please visit your Tenable Security Center (<a href="%url%">%url%</a>) for more information.

This e-mail was automatically generated by Tenable Security Center as a result of alert <strong>%alertName%</strong> owned by <strong>%owner%</strong>.

 

If you do not wish to receive this email, contact the alert owner.

(see description)

Include Results

When enabled, Tenable Security Center includes the query results that triggered the alert (maximum of 500).

Disabled

Recipients

Users

The users who receive the alert email.

Tip: If you delete a user who receives alert emails, the action option for the alert turns red and Tenable Security Center displays a notification to the new alert owner with the new alert status. To resolve this, update the list of users in the alert email.

--

Email Addresses

Specifies additional email addresses to include in the alert email. For multiple recipients, add one email address per line or use a comma-separated list.

--

Generate Syslog

When the alert triggers, Tenable Security Center sends a custom message to a syslog server.

Option

Description

Default

Host

(Required) The host that receives the syslog alert.

--

Port

The UDP port used by the remote syslog server.

514

Severity

The severity level of the syslog messages (Critical, Notice, or Warning).

Critical

Message

(Required) The message Tenable Security Center sends with the syslog alert.

--

Launch Scan

When the alert triggers, Tenable Security Center launches an active scan from an existing active scan template. The active scan Schedule must be On Demand. For more information, see Active Scans and Active Scan Settings.

Option

Description

Default

Scan

(Required) The scan template Tenable Security Center uses for the alert scan.

Note: Tenable Security Center scans the host that triggered the scan, not the host within the scan template. Tenable Security Center uses the top 100 IP results from the alert query for the scan targets.

--

Launch Report

When the alert triggers, Tenable Security Center generates a report from an existing report template. For more information, see Reports.

Option

Description

Default

Report Template

(Required) The report template Tenable Security Center uses to generate a report based on the triggered alert data.

--

Notify Users

When the alert triggers, Tenable Security Center displays a notification to the specified users.

Option

Description

Default

Message

(Required) The notification message Tenable Security Center sends when the alert triggers.

--

Users

(Required) The users who receive the notification message.

--