Alert Actions

Tenable.sc automatically performs alert actions when an alert triggers. You can configure the following types of alert actions:

Tip: Use email alerts to interface with third-party ticketing systems by adding variables in the message option.

For more information, see Alerts.

Assign Ticket

When the alert triggers, Tenable.sc creates a ticket and assigns the ticket to a user. For more information, see Tickets.

Option Description Default

Name

(Required) The name of the ticket.

Ticket opened by alert

Description

A description for the ticket.

--

Assignee

(Required) The user who receives the ticket.

--

Email

When the alert triggers, Tenable.sc sends an email.

Option Description Default
Email

Subject

The alert email subject line.

Email Alert

Message

The body of the email message. You can include the following variables to customize the email:

  • Alert ID — Designated with the variable: %alertID%, this specifies the unique identification number assigned to the alert by Tenable.sc Director.
  • Alert name — Designated with the variable: %alertName%, this specifies the name assigned to the alert (for example, “Test email alert”).
  • Trigger Name — Designated with the variable: %triggerName%, this specifies if the trigger is IP address count, Vulnerability count, or Port count.
  • Trigger Operator — Designated with the variable: %triggerOperator%, this specifies the operator used for the count: >=, =, >= or !=
  • Trigger value — Designated with the variable: %triggerValue%, this specifies the specific threshold value set that triggers the alert.
  • Calculated value — Designated with the variable: %calculatedValue%, this specifies the actual value that triggered the alert.
  • Alert Name — Designated with the variable: %alertName%, this specifies the name given to the alert within Tenable.sc Director.
  • Alert owner — Designated with the variable: %owner%, this specifies the user that created the alert.
  • Tenable.sc URL — Designated with the variable: %url%, this specifies the URL that you use to access Tenable.sc Director. This is useful where the URL that users use to access Tenable.sc Director differs from the URL known by Tenable.sc Director.

The following sample email alert contains some of these keywords embedded into an HTML email:

Alert <strong>%alertName%</strong> (id #%alertID%) has triggered.

 

<strong>Alert Definition:</strong> %triggerName% %triggerOperator% %triggerValue%

<strong>Calculated Value:</strong> %calculatedValue%

 

Please visit your Tenable.sc Director (<a href="%url%">%url%</a>) for more information.

This e-mail was automatically generated by Tenable.sc Director as a result of alert <strong>%alertName%</strong> owned by <strong>%owner%</strong>.

 

If you do not wish to receive this email, contact the alert owner.

(see description)

Include Results

When enabled, Tenable.sc includes the query results that triggered the alert (maximum of 500).

Disabled
Recipients

Users

The users who receive the alert email.

Tip: If you delete a user who receives alert emails, the action option for the alert turns red and Tenable.sc displays a notification to the new alert owner with the new alert status. To resolve this, update the list of users in the alert email.

--

Email Addresses

Specifies additional email addresses to include in the alert email. For multiple recipients, add one email address per line or use a comma-separated list.

--

Generate Syslog

When the alert triggers, Tenable.sc sends a custom message to a syslog server.

Option Description Default

Host

(Required) The host that receives the syslog alert.

--

Port

The UDP port used by the remote syslog server.

514

Severity

The severity level of the syslog messages (Critical, Notice, or Warning).

Critical

Message

(Required) The message Tenable.sc sends with the syslog alert.

--

Launch Report

When the alert triggers, Tenable.sc generates a report from an existing report template. For more information, see Reports.

Option Description Default

Report Template

(Required) The report template Tenable.sc uses to generate a report based on the triggered alert data.

--

Notify Users

When the alert triggers, Tenable.sc displays a notification to the specified users.

Option Description Default

Message

(Required) The notification message Tenable.sc sends when the alert triggers.

--

Users

(Required) The users who receive the notification message.

--