Documentation forSecurity Event Manager

Get started building custom rule expressions in SEM

You can create a custom rule to trigger certain actions when a defined event or events occur. Custom rules can be as simple or as complex as required to meet specific needs. These needs can range from a single yes/no event to a combination of precisely defined occurrences over a period of time. They can trigger actions from sending an email to logging off a user or shutting down a device.

Use discretion when creating rules. SolarWinds recommends that you practice creating filters before you start creating rules. Creating rules is similar to creating filters. Filters report event occurrences, whereas rules act on them.

Begin configuring rules when you are comfortable with configuring filters. Always test your rules before you implement them in your deployment.

You can create rules by configuring conditions between alert variables and other components (such as time of day sets, user-defined groups, constants, and so on). Using rules, you can correlate alert variables with other alerts and their alert variables.

You can configure rules to fire after multiple alerts occur. SEM remembers alerts that meet the basic rule conditions and waits for additional conditions to be met. The rule does not execute until the alerts meet all the conditions and correlations defined for the rule.

You can specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule initiates an active response.