Understanding alert-linked scripts:

When a script is linked to an alert rule, the following happens automatically:

1. An incoming event matches the alert rule’s conditions
2. LT Auditor ^MP generates an alert
3. PowerShell Orchestrator immediately executes the linked script against the configured target
4. The script output is forwarded to LT Auditor ^MP and associated with the alert for investigation

This creates a closed-loop response — the alert fires, evidence is automatically collected, and the results are immediately available in the platform for review.

Common alert-linked script use cases:

[Your administrator should define the automated response workflows most relevant to your environment and configure them accordingly.]

Prerequisites:

Before linking a script to an alert rule, confirm the following:

• The alert rule is already created and active in LT Auditor ^MP (see Configuring Alert Rules)
• The script is already created and tested in the PowerShell Orchestrator script library (see Creating and Scheduling Scripts)
• The script’s target endpoint or cloud target is reachable and connected

Linking a script to an alert rule:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Manage
3. Select the Environment and Category containing the alert rule
4. Locate the alert rule you want to link a script to and click the Edit icon
5. In the filter configuration, navigate to the Actions tab
6. Click Add Action
7. Select Run PowerShell Script as the action type
8. Configure the action:
   • Script — select the script from your PowerShell Orchestrator library
   • Target Override (optional) — if the script should run against the machine that generated the alert rather than a fixed target, enable dynamic targeting
   • Execution Delay (optional) — set a delay in seconds before the script runs, if needed
9. Click Save Action
10. Click Save to update the alert rule

The script will now run automatically every time this alert rule fires.

Using dynamic targeting:

By default, a linked script runs against the fixed target configured in the script definition. Dynamic targeting allows the script to instead run against the machine or user that generated the alert — making the response more relevant to the specific incident.

To enable dynamic targeting:

1. In the Run PowerShell Script action configuration, enable Dynamic Target
2. Select the field from the alert event that identifies the target:
   • Host — runs the script against the machine that generated the event
   • User — passes the affected username as a parameter to the script
3. Click Save

Dynamic targeting requires that the identified machine is already a registered managed endpoint in PowerShell Orchestrator. If the machine is not registered, the script will fail to execute.

Viewing alert-linked script execution results:

When an alert fires and triggers a linked script, the execution results are available in two places:

In the alert record:

1. Navigate to Alerts → Active Alerts or Alerts → Alert History
2. Open the alert that triggered the script
3. Scroll to the Automated Response section
4. View the script execution status and output directly within the alert record

In the execution log:

1. Navigate to Configure → PowerShell Orchestrator → Execution Log
2. Filter by Trigger Type — Alert to see all alert-triggered executions
3. Click any execution entry to view full output and status details

Managing alert-linked scripts:

Removing a script link from an alert rule:

1. Open the alert rule in Manage
2. Navigate to the Actions tab
3. Locate the Run PowerShell Script action
4. Click the Delete icon next to it
5. Click Save

Temporarily suspending automated responses: If you need to stop automated script execution without modifying the alert rule itself, disable the script in the script library:

1. Navigate to Configure → PowerShell Orchestrator → Scripts
2. Open the linked script
3. Toggle the Active switch to off
4. The alert rule will continue to fire alerts, but the script will not execute until re-enabled

Best practices:

• Start with read-only assessment scripts for automated responses before implementing any scripts that make changes to your environment — collect evidence first, remediate manually until you are confident in the automation
• Always test linked scripts manually using Run Now before activating the alert rule to confirm the output is as expected
• Use dynamic targeting where possible so automated responses are relevant to the specific machine or user involved in the alert
• Monitor the execution log regularly to confirm automated responses are firing correctly and producing useful output
• Set an appropriate execution delay for scripts that need the triggering event to fully complete before the assessment runs
• Document all alert-linked scripts and their intended purpose so the team understands what automated actions may occur in response to alerts
• Review linked scripts periodically to ensure they are still appropriate as your environment evolves

[Your administrator should establish a review process for automated response workflows, particularly any scripts that make changes to directory objects or account configurations.]