Initiating actions with Automated Response alerts

As a BMC AMI Command Center for Security administrator, you can automatically initiate specified actions by creating an Automated Response alert. An Automated Response alert is a defined alert condition that, when triggered, automatically sends a response request to BMC AMI Datastream. BMC AMI Datastream validates the request and, if warranted, issues the response.

First you define the responses that you want to request of the mainframe system, and then you configure the Automated Response alerts to trigger the response requests.

Example

An Automated Response alert is raised when an unauthorized user tries to edit the RACF database. A response request could be to cancel or revoke the TSO user ID (although this action might be considered disproportionate).

Configure alerts to be very specific and avoid requesting a disproportionate response.

Before you begin

You must log in with administrator credentials.

Make sure that you have defined response requests, as described in Sending-response-requests-to-BMC-AMI-Datastream.

To configure an Automated Response alert

Click Add New Alert and complete the following items:

Item	Description
Automated Response Alert section
Alert Title	Up to 80 characters of a descriptive title
Enabled	Whether to enable the Automated Response alert
Alert Match Parameters section
Match Facility	Messages from a specific facility or Any, which matches all facilities For information about user-defined facilities, see Correlation-Actions-environmental-variables.
Match Severity	Messages with specific severity or a range of severities Any matches all severities (regardless of the compare function). You can also define the severity with the following comparison operators: EQ—Equal to LE—Less than or equal to GE—Greater than or equal to NE—Not equal to Example EQ Error matches messages with only Error severity. GE Critical matches messages of Critical, Alert, and Emergency severity.
Match IP Addr / Group	Messages from an IP address, wildcard, or BMC Defender Server group name You can specify a range of devices to match. Example Specify 192.168.1.1 to match only that device pattern. Specify *10.3..* so that only devices on the 10.3 class-B subnetwork match the pattern. You can also match address groups (select Browse Groups) that are defined in the Correlation > Config > Address Groups** tab.
Match Expression	Message contains a keyword, wildcard, logical combination of keywords and wildcards, macro definitions, or logical combination of macro definitions For details, see Rules-for-basic-correlation-expressions
Alert Trigger Threshold section
Threshold	Number of counts per interval (SPE2201) The threshold must be in the range of 1 to 200 counts per interval (before SPE2201 the range of 1 to 50), where the interval is specified. The threshold condition is always greater than.
Test Interval	Number of seconds in which to test the threshold condition
Automated Response Request section
Forwarder	Preconfigured two-way communication network forwarder The response request is sent and received along this path. For information about network forwarders, see Setting-up-a-network-forwarder.
Request	Response request, as defined in the Sending-response-requests-to-BMC-AMI-Datastream topic After selecting the request, the defined required fields for that request are displayed.
Ticket Response section
Create Ticket	Whether to open a ticket (but the alert message is always sent) Specify one of the following options: Disabled (default)—no ticket is opened Enabled—a ticket is opened with the parameters set in this section
Assign Ticket To	Name of the ticket operator to whom the ticket is assigned By default, the ticket is assigned to the currently logged in user.
Alert Facility	Facility to associate with the alert message
Alert Severity	Severity to associate with the alert message
Alert Message / Ticket Text	Message text You might want to add a variable first (see Insert Alert Variable) and copy the variable. Add a message and paste the variable where you want it. Click Suggest to insert a message based on the selected request. You can modify the suggested message. To see open tickets, select the Tickets > Opened tab.
Insert Alert Variable	Variable to insert to the message text Select the variable and click Insert. The page refreshes and the variable is displayed in the message box, overwriting any existing content. When the alert is triggered, the alert replaces the variables with the name.

Click Save.

When an alert is triggered, it sends the response request with the specified field values to BMC AMI Datastream, which immediately returns acknowledgment of the request received.

After validation and execution (if deemed appropriate),BMC AMI Datastream sends a message with the response status.

The Automated Request tab's History column displays the request and response.

Tip

The Automated Response alert definitions do not support correlation threads or correlation triggers, but you can re-create the correlation thread criteria to use with an Automated Response alert.

You can also make Automated Response alerts react to alert messages from other sources, such as counters, devices, users, and patterns. In this way, you can extend the functionality of existing alerts without duplicating definitions.

Troubleshooting

If you do not receive the expected response, verify the following items:

The request action code matches a code configured in BMC AMI Datastream.
The alert is enabled.
The matching parameters are valid.
The threshold and test interval are valid.

Where to go from here

The Alerts > Automated Response page displays a summary of the configured Automated Response alerts and their history.

Make sure that the network forwarder is configured to send response request messages.