- In this post I will highlight a useful feature in customizing the actions results.
When an action is executed, the outcome result is evaluated based on 2 criteria ; Detection and Prevention.
- Prevented: An action is prevented (Prevented=True) when the destination actor does not receive the payload or expected result.
- Detected: An action is detected (Detected=True) when MSV Manager receives an event from one of the integrations mapped successfully to the action executed (Same timestamp range, same src/dst IP or host, same port ,...etc).
- Pass/Fail: The action is considered Pass or Fail depending on the configuration in Settings > Director Settings > Pass/Fail. The default configuration is ; State=Pass when Either (Prevented=True OR Detected=True).
However this behavior can be tuned on 3 levels ;
- Globally for all actions.
- For specific VIDs (Verodin Action IDs).
- For specific dimensions (action categories).
You could tune your configuration to instead rely on both or either of the Detection and Prevention Status.
For example if you are concerned about the security posture of your environment, you could enforce a "Both" pass critera so that the actions states will only be considered "Pass" when they are both detected and prevented as well.