Creating a Rule from Search

With the search result displayed in Analytics, follow the steps below to create a rule:

1. From Actions drop-down, select Create Rule.
2. A rule template is automatically created by copying over important Search parameters:
   1. Rule Sub-pattern Filters contain Search Filter conditions
   2. Rule Sub-pattern Group By contain Search Display conditions
   3. Rule Aggregate Conditions are set to COUNT(Matched Events) >= 1
3. To complete the rule creation, configure the settings under Create Rule window with reference to the table below:
   

   Settings	Guidelines
   Rule Name	Enter a name for the new Rule.
   Description	Enter a description about the new Rule.
   Remediation	Enter the Remediation script. Make sure that the Remediation script for your scenario is defined. Check the existing Remediation scripts under ADMIN > General Settings > Notification > Actions column. If your device is not in the list, add the needed Remediation script.
   Condition	Click Condition to create the rule conditions. See Defining Rule Conditions.
   Severity	Select a Severity to associate with the incident triggered by the rule.
   Category	Select the Category of incidents to be triggered by the rule.
   Subcategory	Select the Subcategory from the available list based on the selected incident Category. To add custom subcategories, follow the steps under Setting Rule Subcategory.
   Actions	Click the edit icon to define the incident (Incident Attributes and Triggered Attributes) that will be generated by this rule. You must have at least one incident defined before you can save your rule.
   Exception	Click the edit icon to define any Exceptions for the rule. See Defining Rule Exceptions.
   Dashboard	Select Dashboard to add this report under DASHBOARD tab.
   Notification	Select a Notification frequency for how often you want notifications to be sent when an incident is triggered by this rule.
   Impacts	Select the Impacts of the incident triggered by this rule from the drop-down.
   Watch Lists	Click the edit icon to add the rule you want to add to the watch list. Note: The Type that you set for the watch list must match the Incident Attribute Types for the rule. For example, if your watch list Type is IP, and the Incident Attribute Type for the rule is string, you will not be able to associate the watch list to the rule.
   Clear	Click the edit icon to define any Clear conditions for the rule. See Defining Clear Conditions.

4. Click Save.
   Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should test it.