About SEM rules

Rules can respond to one or more events. In many cases, you can base rules on several events that SEM correlates to trigger an action. You can also configure a rule to look for a single event.

Rules can only fire on normalized data and not on raw log data that is received.

Rules play a key role in detecting operational and compliance issues on your network, such as external breaches, insider abuse, and policy violations. The SEM console ships with a set of preconfigured rules to help you get started.

SEM rule scenarios

Countless scenarios may warrant a rule. Consider these combinations of rules and actions:

  • Respond to change management events with the Send Email Message action.
  • Respond to port scanning events with the Block IP action.
  • Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action.
  • Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action.
  • Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action.

Any activity or event that can pose a threat to your network might warrant a SEM rule.

Rule configuration requirements and best practices

Review the following requirements and best practices about creating SEM rules.

Use descriptive rule names

To keep rules simple to manage, SolarWinds recommends creating the rule with a name that describes the event.

Set the Correlation, Correlation time, and Action

Each rule requires you to define three settings:

  • Correlation: The number of events that occur within a selected amount of time and the amount of time allocated to responding to the events.
  • Correlation time: The volume of events that match the correlation conditions and the rolling time window to evaluate the correlation.
  • Action: The action that occurs when the rule is triggered.

Enable a rule to upload local changes

When you create a new rule, or change an existing rule, you are working on a local copy of the rule. The SEM Manager cannot use the rule change until you activate it. Activating a rule tells the SEM Manager to reload its enabled rules and upload updates from your local copies.

Enable rules whenever you create a new rule, edit an existing rule, or change the test mode status. Otherwise, the SEM Manager will not recognize your changes. After enabling rules, SEM begins processing rules.

Verify that a rule fired

Check your console for InternalRuleFired events using either a filter or nDepth search. These events will show the triggered rule and when it occurred.

Test new rules before putting them into production

Before you put a rule into production, try it out in test mode. In test mode, the SEM Manager processes the rule alert messages, but does not execute any rule actions. This lets you see how the activated rule will behave without disrupting your network.