Creating a New Rule from Rule Manager
While creating a new rule, define the conditions and significant event that triggers the rules and sends alerts. Perform the following steps in the VMDR application to create a new rule:
- From the Responses, navigate to Rule Manager and click New Rule.
- In the Rule Information section, provide a Rule Name and Description of the new rule.
- In the Rule Query section, specify a query for the rule. The system uses this query to search for events. Use the Test Query button to test your query. If the Qualys Query Language (QQL) is not supported, you will be notified via the error message. The following screenshot is an example of the Rule Details section:
Alternatively, you can click Sample Queries to select from the predefined queries. The following screenshot is an example of Sample Queries:
- In the Trigger Criteria, select the trigger criteria that match the rule query. You can choose the following Trigger Criteria from the drop-down menu:
For Select Time-Window Count Match and Select Time-Window Scheduled Match, you have the option to aggregate the alerts from the Aggregate Group option by selecting Vulnerability QID, Vulnerability Title, Vulnerability CVE ID, and so on.
- Single Match: the system generates an alert each time the system detects an event matching your search query.
- Time-Window Count Match: the system generates alerts based on the number of events the search query returns in a fixed time interval. For example, an alert will be sent when three matching events are found within 4 hours window.
- Time-Window Scheduled Match: the system generates alerts for matching events during a scheduled time. The rule will be triggered only when an event matching your search criteria is found during the time specified in the schedule. Choose a date and time range for creating a schedule and specify if the schedule should run Daily, Weekly, or Monthly. For example, send daily alerts with all matches in a scheduled window between 4 PM and 5 PM.
- In the Action Settings, choose the actions the system will perform when an alert is triggered. You can customize the message text by inserting tokens into the alert message.
- Click Save.