Documentation forSecurity Event Manager

Get started building custom rule expressions in SEM

This section provides information to help you write custom rule expressions in SEM.

See also: Create a new rule for step-by-step instructions.

About custom rule expressions

Use caution when creating rules. SolarWinds recommends that you practice creating filters before you start creating rules. Creating rules is similar to creating filters, but filters report event occurrences whereas rules act on them.

Begin configuring rules when you are comfortable with configuring filters. Always test your rules before implementing them.

You can create rules by configuring conditions between alert variables and other components (such as time of day sets, user-defined groups, constants, and so on). Using rules, you can correlate alert variables with other alerts and their alert variables.

You can configure rules to fire after multiple alerts occur. SEM remembers alerts that meet the basic rule conditions and waits for additional conditions to be met. The rule does not execute until the alerts meet all the conditions and correlations defined for the rule.

When you correlate alert variables, you specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule initiates an active response.