Creating a Rule from Search
With the search result displayed in Analytics, follow the steps below to create a rule:
- From the Actions drop-down list, select Create Rule.
- A rule template is automatically created by copying over important Search parameters:
- Rule Sub-pattern Filters contain Search Filter conditions
- Rule Sub-pattern Group By contain Search Display conditions
- Rule Aggregate Conditions are set to COUNT(Matched Events) >= 1
- To complete the rule creation, configure the settings under the Create Rule window with reference to the following table:
Settings Guidelines Rule Name Enter a name for the new Rule. Description Enter a description about the new Rule. Remediation Enter the Remediation script. Make sure that the Remediation script for your scenario is defined. Check the existing Remediation scripts under ADMIN > Settings > General > Notification Policy in the Action column. If your device is not in the list, add the needed Remediation script. Condition Click Condition to create the rule conditions. See Defining Rule Conditions. Severity Select a Severity to associate with the incident triggered by the rule. Category Select the Category of incidents to be triggered by the rule. Subcategory Select the Subcategory from the available list based on the selected incident Category. To add custom subcategories, follow the steps under Setting Rule Subcategory. Actions Click the edit icon to define the incident (Incident Attributes and Triggered Attributes) that will be generated by this rule. You must have at least one incident defined before you can save your rule. Exception Click the edit icon to define any Exceptions for the rule. See Defining Rule Exceptions. Dashboard Select Dashboard to add this report under DASHBOARD tab. Notification Select a Notification frequency for how often you want notifications to be sent when an incident is triggered by this rule. Impacts Select the Impacts of the incident triggered by this rule from the drop-down. Watch Lists Click the edit icon to add the rule you want to add to the watch list.
Note: The Type that you set for the watch list must match the Incident Attribute Types for the rule. For example, if your watch list Type is IP, and the Incident Attribute Type for the rule is string, you will not be able to associate the watch list to the rule.
Clear Click the edit icon to define any Clear conditions for the rule. See Defining Clear Conditions. - Click Save.
Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should test it.