Monitor Custom Actions
Create sophisticated custom threat response actions for enterprise security workflows.
Coming Soon
Detailed custom action patterns and examples are being written.
Overview
Custom actions allow you to define exactly how your application responds to security threats, enabling integration with:
- SIEM systems (Splunk, QRadar, Azure Sentinel)
- Incident management (PagerDuty, Opsgenie)
- Communication platforms (Slack, Teams, Email)
- Forensic tools
- Custom logging systems
Basic Custom Action
C#
config.RegisterCustomAction("enterprise-response", async (threat) =>
{
// 1. Log to SIEM
await LogToSiemAsync(threat);
// 2. Notify security team
await SendSecurityAlertAsync(threat);
// 3. Create forensic snapshot
await CreateForensicSnapshotAsync();
// 4. Terminate safely
Environment.Exit(-1);
});
config.AddProtection(
ProtectionModuleType.DebuggerDetection,
"enterprise-response",
intervalMs: 30000
);config.RegisterCustomAction("enterprise-response", async (threat) =>
{
// 1. Log to SIEM
await LogToSiemAsync(threat);
// 2. Notify security team
await SendSecurityAlertAsync(threat);
// 3. Create forensic snapshot
await CreateForensicSnapshotAsync();
// 4. Terminate safely
Environment.Exit(-1);
});
config.AddProtection(
ProtectionModuleType.DebuggerDetection,
"enterprise-response",
intervalMs: 30000
);Common Patterns
SIEM Integration
C#
config.RegisterCustomAction("siem-integration", async (threat) =>
{
var syslogClient = new SyslogClient("siem.company.com", 514);
await syslogClient.SendAsync(new
{
Severity = "CRITICAL",
Application = "MyApp",
ThreatType = threat.ModuleType.ToString(),
Description = threat.Description,
Timestamp = DateTime.UtcNow
});
Environment.Exit(-1);
});config.RegisterCustomAction("siem-integration", async (threat) =>
{
var syslogClient = new SyslogClient("siem.company.com", 514);
await syslogClient.SendAsync(new
{
Severity = "CRITICAL",
Application = "MyApp",
ThreatType = threat.ModuleType.ToString(),
Description = threat.Description,
Timestamp = DateTime.UtcNow
});
Environment.Exit(-1);
});Slack Notification
C#
config.RegisterCustomAction("slack-alert", async (threat) =>
{
var webhookUrl = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL";
var payload = new
{
text = $"🚨 Security Threat Detected",
attachments = new[]
{
new
{
color = "danger",
fields = new[]
{
new { title = "Threat", value = threat.Description, @short = false },
new { title = "Module", value = threat.ModuleType.ToString(), @short = true },
new { title = "Time", value = threat.DetectedAt.ToString(), @short = true }
}
}
}
};
using var http = new HttpClient();
await http.PostAsJsonAsync(webhookUrl, payload);
Environment.Exit(-1);
});config.RegisterCustomAction("slack-alert", async (threat) =>
{
var webhookUrl = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL";
var payload = new
{
text = $"🚨 Security Threat Detected",
attachments = new[]
{
new
{
color = "danger",
fields = new[]
{
new { title = "Threat", value = threat.Description, @short = false },
new { title = "Module", value = threat.ModuleType.ToString(), @short = true },
new { title = "Time", value = threat.DetectedAt.ToString(), @short = true }
}
}
}
};
using var http = new HttpClient();
await http.PostAsJsonAsync(webhookUrl, payload);
Environment.Exit(-1);
});Next Steps
Actions & Responses
Learn about all action types
Configuration API
Configure protections via code
Protection Modules
Learn about protection modules