Triggers form the core of Cmd's pre-execution enforcement functionality. They enable you to create proactive, custom threat detection and prevention protocols that can prompt for two-factor authorization, create alerts, and perform many other actions. Because the Cmd agent sits above the kernel, you can use Cmd triggers to intercept system calls and affect commands pre-execution. New triggers are enforceable within seconds, making it easy to lock down your environment on the fly.

Trigger components and definitions

  • Trigger types:
    Define whether each trigger can fire due to attempted commands, session connections, or file modifications.

  • Trigger groups:
    Organize triggers into groups (optional).

  • Trigger queries:
    Define the conditions which cause triggers to fire. Queries use Cmd's CQL, which enables them to fire based on a wide range of variables such as the time of day, a connection's IP address, a session's duration, or particular syntax in an attempted command. Learn more by signing in to Cmd to view the CQL glossary.

  • Trigger actions:
    Define what triggers do when fired. For example you can use the 'block command' or 'end session' actions to blacklist a particular command or user behavior. Alternatively, you can allow commands to execute, but use one of Cmd's many 'alert' actions to notify your team via the Cmd web app, email, or an integrated application like Microsoft Teams, xMatters, or Slack.

  • Alert level:
    Every trigger creates an alert, and every alert has a user-defined 'alert level' ranging from 0 through 5. Higher levels represent more urgent alerts. Alerts with a risk level of 0 are called 'notices', and do not require resolution. Notices are designed for triggers which don't indicate security threats. For triggers which do protect against security threats, setting alert levels from 1-5 can help prioritize future investigations.


To learn more, see the rest of our triggers documentation:


Did this answer your question?