SEM tuning and periodic maintenance tasks
Review your rules on a regular basis. This will ensure that they do not trigger too frequently and SEM uses the processor and memory resources efficiently.
These issues can be caused by:
-
Low threshold settings
-
Broadly-defined conditions
-
Rules that use event groups instead of a single event or subnet of events
The following table provides recommendations for each issue.
| Issue | Recommendation |
|---|---|
| Low threshold settings | Consider increasing the threshold for rules that trigger due to network traffic. |
| Broadly-defined conditions | Define the rules to apply only to specific user names, IP addresses, or systems. Consider whether a different set of rules with different conditions could serve two distinct areas of your environment. |
| Rules using event groups instead of a single event or subset of events | Rules that detect authentication or network traffic may trigger on additional events, but may only apply to a subset of those events. |