Documentation forSecurity Event Manager

Create a new rule

  1. On the SEM Console, click the Rules tab.
  2. On the Rules toolbar, click Create new rule.

    The Create new rule screen is displayed. The left area shows categories such as Events, Event Groups, User Defined Groups, etc.

  3. Click a category to show the entities it contains, and click an entity to show the entity fields it contains.

    The search box can be used to help find entitles and entity fields. All matches are highlighted as shown below:

  4. Drag the appropriate entity or entity field into the rule definition builder.

    When you drag a value into the rule builder, the correct drop location is shown with a blue line.

    Moving an entity or entity field to the right pane creates a condition.

    • If it is an entity, by default the condition will be created showing that it occurred. For example:

      Click on "occurred" to change to "did not occur" if required.

    • If it is an entity field, by default the condition will be created showing that the field is equal to [blank].

      Click on "is equal to" to change to an alternative operator as required, and either enter a value for the comparison, click to display the available valuesor drag across another field as appropriate.

  5. Once you have set up a part of a rule, you can change it by moving the cursor over it to display the rule builder toolbar.

    This enables you to:

    • apply occurrence settings for this part of the rule by clicking the icon
    • edit the expression by clicking the icon
    • delete the expression by clicking the icon
    • add an addition entity or entity field by clicking the icon
  6. To add subsequent rule parts, click the rule definition icon, and then create the condition as shown above.

  7. From the drop-down list, select an option, enter a specific value or keyword directly.

  8. By default rule parts are linked with And operators to show that all rule parts must be true. To change an And operator, click And, and then select Or.

  9. By default, the actions are triggered whenever the conditions that make up the rule are true. However, you can change this so that the rule has to be true multiple times. For information, see Occurrence settings.

  10. Click Next to display Details and actions.

  11. Under Details and actions, enter a rule name and optional description.
  12. Click the icon to select one or more optional tags for this rule.

    Tags make it easier to catalog and find rules.

  13. Turn off the Click Enable rule after saving option if you want to save a rule without adding an action. The rule can be enabled afterward from the Rules screen.
  14. Turn on the Enable test mode option if you want to use this rule test mode. This means it will run but will not trigger actions. This lets you see how the activated rule will behave without disrupting your network. You can Identify test mode rules in your list by the Test icon .

  15. Click Add new action to add an action when the rule triggers.

  16. Enter a search term, or select an action from the list, and then click Next.
  17. Define the trigger action, and then click Add.

    SEM provides over 30 actions that can be triggered using rules, ranging from Sending a pop-up message to Disabling Networking. For each the procedure is similar: select or enter the required parameters, and click Add.

  18. You can add multiple actions to a rule by clicking Add new action.

  19. Click Create when you have finished adding actions to this rule. The rule will now be available in the list of rules.
  20. To edit, delete, and toggle test mode, click the vertical ellipsis next to a rule.