This action type can be used to execute a command when a correlated event triggers. You can set the following parameters:
Command
NOTE: For actions that execute a command or run a script, the command or script must reside in the $ESEC_HOME/config/exec or %ESEC_HOME\config\exec folder on the Correlation Engine. Symbolic links on UNIX are not supported.
Arguments: This can include constants or references to an event attribute in the last event, the one that caused the rule to fire.
NOTE: References to event attributes must use the values in the metatag column in [insert reference to ch. 5, Reference Guide] enclosed in % symbols. For example, Source IP would be %sip%.
Command actions can be created to perform a non-interactive action, such as modifying a firewall policy, entering a record in a database, or deactivating a user account. For an action that generates output, such as a command to run a vulnerability scan, the command should refer to a script that runs the command and then writes the output to a file.