Triggers enable you to set up alerts, command blacklists, 2FA requirements, and other security rules. To make a new one:
Select Triggers from the menu at the top of the Cmd web app.
On the right side of the Triggers page, click Add Trigger.
Select the type of trigger to create:
- Command trigger:
Can fire due to attempts to execute commands.
- Session trigger:
Can fire due to attempts to connect to servers.
- File trigger:
Can fire due to attempts to change files.
Name your new trigger by editing the field which says "Untitled":
5. To provide more context to other users, edit the field where it says 'No
description' to add one.
6. If you wish to organize your triggers using groups, choose a group for your
trigger by clicking where it says Group: Generic.
Note: By default, Cmd will sort your trigger into the Generic category.
7. Next, create a trigger query to define when your trigger will fire. Click Add group
or Add property to add additional elements to your trigger query. To learn more
about how to define trigger queries, see Understanding CQL values.
8. Next, scroll to the 'Actions' section. This is where you'll decide what you'd like
Cmd to do when the trigger query conditions are met. To learn more about the
available trigger actions, see Trigger actions.
9. In the actions section, decide what alert risk level to associate with this trigger.
Risk level defaults to 0 (least risky). Alerts with non-0 risk levels require resolution
by a member of your team:
10. To add an additional action to the trigger, click + Add action, and choose an
action. For more information about each action, see Trigger actions.
11. Repeat step 10 as needed to add more actions.
12. When finished, click Save at the top of the page.
Repeat as necessary to add more triggers.