Documentation forSecurity Event Manager

About SEM rules

Rules respond to one or more events. In many cases, you can base rules on several events that SEM correlates to trigger an action. You can also configure a rule to be triggered by a single event.

Rules can only fire on normalized data and not on raw log data that is received.

Rules play a key role in detecting operational and compliance issues on your network, such as external breaches, insider abuse, and policy violations. SEM includes a set of preconfigured rules to help you get started.

SEM rule scenarios

Several scenarios can warrant a rule. Consider the following combinations of rules and actions:

  • Respond to change management events with the Send Email Message action.
  • Respond to port scanning events with the Block IP action.
  • Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action.
  • Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action.
  • Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action.

Any activity or event that can pose a threat to your network warrants a SEM rule.

Rule configuration requirements and best practices

Review the following requirements and best practices about creating SEM rules.

Use descriptive rule names

To keep rules simple to manage, SolarWinds recommends creating the rule with a name that describes the event, and a full description.

Set the Correlation, Correlation time, and Action

Each rule requires you to define three settings: Correlation, correlation time, and action.

Correlation is the number of events that occur within a selected amount of time and the amount of time allocated to responding to the events.

Correlation time is the volume of events that match the correlation conditions and the rolling time window to evaluate the correlation.

Action is the action that occurs when the rule is triggered.

Enable a rule to upload local changes

When you create a new rule or change an existing rule, you are working on a local copy of the rule. The SEM Manager cannot use the changed rule until you activate it. Activating a rule tells the SEM Manager to reload its enabled rules and upload updates from your local copies.

Enable rules whenever you create a new rule, edit an existing rule, or change the test mode status. Otherwise, the SEM Manager will not recognize your changes. After enabling rules, SEM begins processing rules.

Verify that a rule fired

Check your console for InternalRuleFired events using a filter. These events will show the triggered rule and when it occurred.

Test new rules before putting them into production

Before you put a rule into production, try it out in test mode. In test mode, the SEM Manager processes the rule alert messages, but does not execute any rule actions. This lets you see how the activated rule will behave without disrupting your network.