Documentation forSecurity Event Manager

SEM tuning and periodic maintenance tasks

Review your rules on a regular basis. This will ensure that they do not trigger too frequently and SEM uses the processor and memory resources efficiently.

These issues can be caused by:

  • Low threshold settings

  • Broadly-defined conditions

  • Rules that use event groups instead of a single event or subnet of events

The following table provides recommendations for each issue.

Issue Recommendation
Low threshold settings Consider increasing the threshold for rules that trigger due to network traffic.
Broadly-defined conditions Define the rules to apply only to specific user names, IP addresses, or systems. Consider whether a different set of rules with different conditions could serve two distinct areas of your environment.
Rules using event groups instead of a single event or subset of events Rules that detect authentication or network traffic may trigger on additional events, but may only apply to a subset of those events.