Trigger types:
Define whether each trigger can fire due to attempted commands, session connections, or file modifications.

Trigger groups:
Organize triggers into groups (optional).

Trigger queries:
Define the conditions which cause triggers to fire. Queries use Cmd's CQL, which enables them to fire based on a wide range of variables such as the time of day, a connection's IP address, a session's duration, or particular syntax in an attempted command. Learn more by signing in to Cmd to view the CQL glossary.

Trigger actions:
Define what triggers do when fired. For example you can use the 'block command' or 'end session' actions to blacklist a particular command or user behavior. Alternatively, you can allow commands to execute, but use one of Cmd's many 'alert' actions to notify your team via the Cmd web app, email, or an integrated application like Microsoft Teams, xMatters, or Slack.

Alert level:
Every trigger creates an alert, and every alert has a user-defined 'alert level' ranging from 0 through 5. Higher levels represent more urgent alerts. Alerts with a risk level of 0 are called 'notices', and do not require resolution. Notices are designed for triggers which don't indicate security threats. For triggers which do protect against security threats, setting alert levels from 1-5 can help prioritize future investigations.