Blue Lance

Bluelance 2.0
Get a demo
View Categories

Linking Scripts to Alert Rules

5 min read

PowerShell Orchestrator can be configured to run scripts automatically in response to security alerts generated by LT Auditor MP. This allows you to build automated remediation and investigation workflows โ€” for example, automatically pulling a full group membership report the moment an unauthorized change to a privileged group is detected, or disabling a user account when a lockout threshold is exceeded.

Understanding alert-linked scripts:

When a script is linked to an alert rule, the following happens automatically:

  1. An incoming event matches the alert rule’s conditions
  2. LT Auditor MP generates an alert
  3. PowerShell Orchestrator immediately executes the linked script against the configured target
  4. The script output is forwarded to LT Auditor MP and associated with the alert for investigation

This creates a closed-loop response โ€” the alert fires, evidence is automatically collected, and the results are immediately available in the platform for review.

Common alert-linked script use cases:

Alert RuleLinked ScriptPurpose
Member added to Domain AdminsDomain Admins Membership AssessmentCapture the full group membership at the time of the change
User account lockout threshold exceededAccount Status CheckRetrieve current account status and recent logon history
New local admin account createdLocal Admin Accounts AssessmentPull a full list of local admins on the affected machine
Entra ID role assignment changeEntra ID Role Assignments AssessmentCapture current role assignments at time of change
Suspicious sign-in detectedAccount Activity AssessmentRetrieve recent sign-in history for the affected account

[Your administrator should define the automated response workflows most relevant to your environment and configure them accordingly.]

Prerequisites:

Before linking a script to an alert rule, confirm the following:

  • The alert rule is already created and active in LT Auditor MP (see Configuring Alert Rules)
  • The script is already created and tested in the PowerShell Orchestrator script library (see Creating and Scheduling Scripts)
  • The script’s target endpoint or cloud target is reachable and connected

Linking a script to an alert rule:

  1. Log in to the LT Auditor MP Web UI
  2. Navigate to Manage
  3. Select the Environment and Category containing the alert rule
  4. Locate the alert rule you want to link a script to and click the Edit icon
  5. In the filter configuration, navigate to the Actions tab
  6. Click Add Action
  7. Select Run PowerShell Script as the action type
  8. Configure the action:
    • Script โ€” select the script from your PowerShell Orchestrator library
    • Target Override (optional) โ€” if the script should run against the machine that generated the alert rather than a fixed target, enable dynamic targeting
    • Execution Delay (optional) โ€” set a delay in seconds before the script runs, if needed
  9. Click Save Action
  10. Click Save to update the alert rule

The script will now run automatically every time this alert rule fires.

Using dynamic targeting:

By default, a linked script runs against the fixed target configured in the script definition. Dynamic targeting allows the script to instead run against the machine or user that generated the alert โ€” making the response more relevant to the specific incident.

To enable dynamic targeting:

  1. In the Run PowerShell Script action configuration, enable Dynamic Target
  2. Select the field from the alert event that identifies the target:
    • Host โ€” runs the script against the machine that generated the event
    • User โ€” passes the affected username as a parameter to the script
  3. Click Save

Dynamic targeting requires that the identified machine is already a registered managed endpoint in PowerShell Orchestrator. If the machine is not registered, the script will fail to execute.

Viewing alert-linked script execution results:

When an alert fires and triggers a linked script, the execution results are available in two places:

In the alert record:

  1. Navigate to Alerts โ†’ Active Alerts or Alerts โ†’ Alert History
  2. Open the alert that triggered the script
  3. Scroll to the Automated Response section
  4. View the script execution status and output directly within the alert record

In the execution log:

  1. Navigate to Configure โ†’ PowerShell Orchestrator โ†’ Execution Log
  2. Filter by Trigger Type โ€” Alert to see all alert-triggered executions
  3. Click any execution entry to view full output and status details

Managing alert-linked scripts:

Removing a script link from an alert rule:

  1. Open the alert rule in Manage
  2. Navigate to the Actions tab
  3. Locate the Run PowerShell Script action
  4. Click the Delete icon next to it
  5. Click Save

Temporarily suspending automated responses: If you need to stop automated script execution without modifying the alert rule itself, disable the script in the script library:

  1. Navigate to Configure โ†’ PowerShell Orchestrator โ†’ Scripts
  2. Open the linked script
  3. Toggle the Active switch to off
  4. The alert rule will continue to fire alerts, but the script will not execute until re-enabled

Best practices:

  • Start with read-only assessment scripts for automated responses before implementing any scripts that make changes to your environment โ€” collect evidence first, remediate manually until you are confident in the automation
  • Always test linked scripts manually using Run Now before activating the alert rule to confirm the output is as expected
  • Use dynamic targeting where possible so automated responses are relevant to the specific machine or user involved in the alert
  • Monitor the execution log regularly to confirm automated responses are firing correctly and producing useful output
  • Set an appropriate execution delay for scripts that need the triggering event to fully complete before the assessment runs
  • Document all alert-linked scripts and their intended purpose so the team understands what automated actions may occur in response to alerts
  • Review linked scripts periodically to ensure they are still appropriate as your environment evolves

[Your administrator should establish a review process for automated response workflows, particularly any scripts that make changes to directory objects or account configurations.]

active directory, alert actions, alert linked scripts, alert rules, alert triggered, alerts, assessment scripts, automated remediation, automated response, automation, closed loop response, compliance, configuration, domain admins, dynamic targeting, entra id, execution alerts, execution delay, getting started, monitoring, powershell, powershell orchestrator, remediation, response workflow, script library, script linking, scripts, windows

Powered by BetterDocs

Newsletter

Let's get started and
enjoy the power of LT Auditor MP

ยฉ Copyright , BLUE LANCE 2.0. All Rights Reserved.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by