I'm writing an integration for one of our security solutions.
I'm implementing an alert action, and I want the following to happen:
An alert is triggered regarding a certain endpoint (one that has a Forwarder installed on it)
The Search Head tells the Forwarder to run a script (the tricky part)
The Search Head receives the data the script created/gathered.
So I set up the Search Head as a Deployment server in order to deploy the scripts to the endpoints, which have a Universal Forwarder installed on them, but I don't know how to trigger that script to run after the alert is raised.
I thought about maybe defining a script input on the Forwarders inputs.conf and then every time it runs, check somehow if I need to run the script's core logic or not, but I'm not really sure how to signal the Forwarder it needs to run the core logic or not.
If anyone has a suggestion, I would love to hear it
... View more