Create a new SEM rule to monitor and respond to events

This section describes how to create a custom rule to monitor and respond to events from your monitored computers and devices.

Click the video icon to view a tutorial about creating rules in the SEM console.

Create a new rule

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Rules.

  3. On the Rules toolbar, click .

  4. Enter a name and description for the rule.

  5. From the drop-down list, select the SEM Manager that will host this rule.

    If you are editing a rule, this field displays the SEM Manager instance associated with the rule.

  6. Click Add Tags.

    Select the categories and tags for this rule, and then click OK.

  7. Configure the correlations (or relationships) that define the rule. These correlations define the events that must occur for the rule to take effect. You can coordinate multiple alert events into a set of conditions that prompt the SEM Manager to issue an active response.

    1. From the list pane, drag Event or Event Group items into the Correlations box. To add a group, click .
    2. Click the correlations connector bar. Select AND to determine if the alert conditions must all apply, or OR if any alert conditions apply to prompt a response.

    If your correlations require a value, populate the value using one of the following procedures:

    • Enter a static text value in the Text Constant field, denoted by a pencil icon. Use asterisks (*) as wildcard characters to account for any number of characters before, within, or after your text value.

    • To replace the Text Constant field, drag a group from the list pane. The most commonly used groups include User Defined Groups, Connector Profiles, Directory Service Groups, and Time Of Day Sets.

    • To replace the Text Constant field, drag an Event field from an existing event in your Correlations. This will result in a parameter that states whether values from different Events in your Correlations should match.

  8. If you want to change the operators in your conditions, click the operator until you find the one you want.

    There are two types of operators: Condition and Group.

    • Condition operators are found between your events and their values. Examples include Equals, Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that are available for the values in your Correlations.
    • Group operators are found outside of your correlation groups. The two options are And (blue) and Or (orange).

    For more information see Comparing values with operators in SEM filters and rules.

  9. Configure the correlation time to establish the allowable frequency and time span that the correlation events must occur before the rule applies.

    1. Set the Events within and Response Window settings for your rule.
    2. If the Events within value is 2 or more, click Advanced to select advanced threshold fields and define an advanced response window for the alert fields within the grouping.
  10. Configure the actions that occur when the events in the Correlations and the Correlations Time boxes occur (for example, sending an email message to the system administrator or blocking an IP address).

    Use the following guidelines:

    • All rules must have at least one action.

    • Populate your action with constants or event fields as appropriate.

    1. Click the Actions list.

    2. Select and drag an action from the list into the Actions box.

  11. Apply the appropriate Enabled, Test, and Subscribe settings as appropriate.

    1. To enable the rule after you click Save, select the Enable check box. See About selecting rules to test, enable, or disable for details.

    2. To operate the rule in test mode before it is enabled, select the Test check box. SolarWinds recommends running each new rule in test mode to confirm that the rule behaves as expected. See Testing rules in SEM for details.

      You must enable a rule before you can test it.

    3. Click the Subscribe drop-down menu and select all users who subscribe to the rule. The system will notify the subscribing users each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid.

      This option also tracks rule activity in the Subscriptions report in SEM Reports.

  12. Click Save.

    The new rule appears in the Rules grid.

    You can click Apply to save your changes without closing the form.

  13. After your rule is in your Custom Rules folder, click Activate Rules to sync your local changes with the rules folders on your SEM Manager and allow the new or updated rules to function properly.

    When enabling or disabling rules, no changes will take effect until you click Active Rules.

Example: Create a Change Management rule

This section shows you how to create a rule in SEM by stepping you through an example.

Click the video icon to view a tutorial about creating a rule to watch for unauthorized vendor access.

About the Change Management rule example

Rules in the Change Management category notify you when a user makes a network configuration change, for example:

  • Adding, changing, or deleting users in Active Directory

  • Installing software on monitored computers

  • Making changes to the firewall policy

You can create a general change management rule to instruct SEM to notify you when a user changes your network configuration, or you can create a more specific rule that applies to specific users, groups, or types of changes. Generally, if you can see an event in your console, you can create a rule for the event. Use your filters as a starting point for creating custom rules.

The following change management rule example notifies you by email when a user adds another user to an administrative group.

Create the example Change Management rule

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Rules.

  3. To create a new rule using the Rule Creation screen, click .

  4. Enter an appropriate name for the rule. For example:

    New Admin User

  5. In the rule Correlations box, enter the event or event group.

    For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to execute anytime SEM receives a NewGroupMember event with admin included anywhere in the Event Info field.

    1. In the left pane, click Events.

    2. At the top of the Events list, enter NewGroupMember to search for this event, and then select it in the list.

    3. In the Fields: NewGroupMember list, locate EventInfo, and then drag it into the Correlations box.

    4. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word administrator.

  6. Leave the Correlation Time box as is so your rule fires anytime SEM captures this type of event.

  7. Add the Send Email Message action to the Actions box.

    1. In the left pane, click Actions.

    2. Locate Send Email Message, and then drag the action into the Actions box.

    3. In the Email Template, click the menu, and then select a template.

    4. In the Recipients menu, select a SEM user.

    5. To complete the action, drag event fields or constants from the left pane into the Send Email Message form.

      Always use event fields for events in the Correlations box. For example, you can use NewGroupMember.DetectionTime to populate the Detection Time field in this example.

  8. In the Rule Creation form, select Enable, and then click Save.

  9. Test the rules to verify they work as expected. See Testing rules in SEM for details.

  10. In the main Rules view, click Activate Rules to sync your local changes with SEM.

    The SEM Manager will send an email anytime a user adds a user to any group in Active Directory that contains admin in its name.