Create and Manage Rules
Rules can be used to define the criteria to trigger the alert notifications. You can use our pre-defined search tokens and form the queries for the criteria. You can then associate an action to be executed when the criteria defined in the rule are met.
Create New Rule
(1) Go to Responses > Rule Manager > New Rule.
(2) Provide a name and description of the new rule in the Rule Name and Description. Set a severity for the rule to prioritize the rules. The severity can be None, Low, Medium or High.
(3) In the Rule Query section, specify a query for the rule. The system uses this query to search for events. Use the Test Query button to test your query. Click the Sample Queries link to select from the predefined queries.
(4) In the Trigger Criteria section, choose three trigger criteria that work with the rule query. The trigger criteria are: Single Match, Time-Window Count Match, and Time-Window Scheduled Match. See Trigger Criteria.
(5) In the Action Settings section, choose the actions that you want the system to perform when an alert is triggered.
Manage Rules
The Rule Manager tab lists all the rules that you have created with
- the rule name
- the trigger criteria selected
- the alert message aggregate enabled/disabled
- the rule action
- date and time when the rule is last triggered
- state of the rule
- the rule severity
- created date and time
You can use the Actions or Quick Actions menu to edit, enable, disable, delete rules, and save an existing rule and its configuration to create a new rule with a new name. Use the search bar to search for rules using the search tokens.