Documentation forSecurity Event Manager

Create event groups

SEM includes several predefined event groups, such as virus and scanner events, process start and stop events, change management events, and so on. Event groups allow you to group together several events into a specific category to initiate a specific event filter, rule, or condition.

You can create an event group that includes a custom family of alerts, save them as an event group, and associate the groups with your rules and filters. For example, you can create an event group for events that trigger the same response from SEM. If an event in the group occurs, SEM fires the rule for that group.

If you have multiple SEM instances, you can import an event group from another SEM instance or export one or more event groups in JSON format to another SEM instance.

When you click Reload data or navigate to another section in the application, all selected filters, search input, pagination, and sorting settings are preserved.

Event Groups window

Click Configure > Event Groups in the SEM toolbar to access the Event Groups window.

This window displays all existing event groups. Click the ellipsis icon to expand or collapse all refined results in the left column.

The following table describes the selectable items in the window.

Selection Description
Modify by Filters the event group results based on your user selections.
Last modified

Filters the event group results based on the selected time span.

For example, all event groups that were modified in the last hour.
Used Event types Filters the event group results based on your selected event types.
Create Event group

Creates a new event group based on your selected events.
Import Event groups

Imports a saved event group from another SEM instance.
Reload data

Refreshes the Event Groups window.

When you click this option and navigate to another section in the application, all selected filters, search inputs, pagination, and sorting settings are preserved.

Export all

Exports all event groups to a JSON file for import to another SEM instance.

Search Filters the event group results based on your search parameters.

Using the Event Groups window, you can:

Create an event group

This procedure describes how to create an event group for your SEM instance.

  1. In the SEM toolbar, click Configure > Event Groups.

  2. Click Create event group.

  3. In the Create event group window, select the events for your new group, and then click Next.

    Click the tree view icon to select a parent event and specific child events. Click Show selected only to view your selected events.

    Click the list view icon to select the targeted events and all related child events. After you select your targeted events, you can click the tree view to view all related child events.

    To search for a specific event name, enter the name in the Search field and click the magnifying glass. The search results highlight all events that contain your search parameters. When you are finished, select the events you want to include in the group.

  4. Under Details, enter a name and optional description for this group, and then click Create.

    The new event group is added to the Event Group page. Click Reload data to refresh the list.

    All selected filters, search input, pagination, and sorting settings are preserved after you click Reload data or navigate to another area and back in the application.

Edit an event group

This procedure explains how to edit an event group in your SEM instance.

  1. In the SEM toolbar, click Configure > Event Groups.

  2. Select the checkbox next to the event group you want to edit.

  3. In the toolbar, click Edit.

  4. Edit your selections in the tree or list view.

    Click the tree view icon to display a list of existing events and their corresponding child events. Select or remove additional events as required. Click the maximize arrow to view child events.

    Click the list view icon to display a list of existing events that automatically include all child events. Select or remove additional events as required.

  5. Click Next.

  6. Update the event group name and description as required.

  7. Click Save.

    The edited group displays in the Event Group page.

Copy an event group

This procedure explains how to copy an event group in your SEM instance. When you are finished, you can edit the event group and add or remove events from the group.

  1. In the SEM toolbar, click Configure > Event Groups.

  2. Select the checkbox next to the event group you want to copy.

  3. Click Copy.

    The copied event displays in the window.

  4. Edit the event group as required.

Export an event group

This procedure explains how to export an existing event group in JSON format from your SEM instance to another instance.

  1. In the SEM toolbar, click Configure > Event Groups.

  2. Select the checkbox next to the event groups you want to export.

    To export all event groups, leave all event groups unselected.

  3. Click Export Event groups.

    The selected event groups are exported to a JSON file and downloaded to the host server.

Import an event group

This procedure explains how to import an event group in JSON format from another SEM instance.

  1. In the SEM toolbar, click Configure > Event Groups.

  2. In the toolbar, click Import Event groups.

  3. In the Import Event Groups window, click Browse file.

  4. Select the event group file in JSON format to import, and then click Open.

    If the file is not identical to the parent SEM instance, a warning message displays in the window. Click Browse file and select the correct file.

    If the file does not include invalid event groups, no warning message displays. Click Import to complete the procedure.

    If the file includes invalid event groups, do the following:

    1. Search and deselect any event groups that you do not want to import. Click the Name drop-down menu to display the list in ascending or descending order.
    2. Click Import.

    3. In the Conflicts window, select how SEM should handle the conflicts for each event group.

      Select Skip to ignore the conflict.

      Select Overwrite to overwrite the existing event groups with the imported event group.

      Select Rename to rename the event group.

    4. Click Import.

      The Import Results window displays the actions you selected to resolve the conflicts in each event group.

Troubleshoot importing an event group

The following table provides workarounds for importing an event group.

Error message Action
File is too large to upload. The maximum supported file size is 2 MB. Modify the file so it is smaller than 2 MB. You can split the file into several files.
Invalid content. Uploaded file should have the same format as exported file.

Modify the file so it has the correct formatting.

You can export another event group, compare the structure with your new event group, and then export the file.

File empty. Selected file is empty. Upload a JSON file containing SEM Event Groups. Modify the file so it has the correct data and formatting.
Invalid event groups. <X> of <x> event groups are invalid. These event groups cannot be imported. Modify the file so it has the correct data. Error messages in the list records (such as "invalid name" or "invalid members" can help you identify the issue.

Delete an event group

This procedure explains how to delete an event group from your SEM instance.

  1. In the SEM toolbar, click Configure > Event Groups.

  2. Select the checkbox next to each event group you want to delete.

  3. In the toolbar, click Delete.

  4. In the dialog box, click Delete.

    The selected event groups are deleted.