Subscriptions & Actions
Actions are things you want to trigger when a event fires. For example, you might want to subscribe an action to a detection alert to notify your SOC or you might want to subscribe an action to a system event to send a Slack message to the nzyme system administrators.
Any action can be subscribed to any event.
Info
Make sure to read the Alerting Overview page first. This will give you more context for subscriptions and actions.
Required Permissions
Because actions can be potentially harmful (think executed code, SPAM etc. - depending on the action type) and should be carefully thought through, only super administrators and organization administrators can create or subscribe them to events.
Creating Actions
Super administrators can create actions on the System - Events & Actions page. These actions can only be used by super administrators and can only be subscribed to system events.
Organization administrators can create and subscribe actions under Events & Actions on the System - Organization page. Actions created here can be subscribed to any detection and organization system events. Any organization administrator can use these actions within their organization.
Subscribing Actions to Events
Subscribing to System Events
The Events & Actions pages for super administrators and organization administrators are very similar. The list of available system events has a column showing the number of subscribed actions. Use the Manage link to subscribe actions. Each action can only be subscribed once per event type but across as many event types as you want.
Subscribing to Detection Events
Super administrators and organization administrators subscribe actions to detection events on the Alerts - Subscriptions page. The UI is very similar to how you subscribe system events. (See above)
Because of how permission scoping works in nzyme, only organization actions can be subscribed to detection events.
Detection Event Wildcard Subscriptions
Detection events support wildcard action subscriptions. If you subscribe an action to the *Wildcard Event", it will be triggered with any type of detection event. This can be useful and save time if you don't want to individually assign an action to every single detection event type.