Rules
Administrator permissions are required to access this feature.
Axon uses analytic rules to examine ingested and normalized logs and generate Observations when log data matches the rule criteria. The Rules main page shows the list of out-of-the-box rules along with brief descriptions of what they do. Administrators can enable relevant rules for their environment. By default, all out-of-the-box rules are disabled.
View an Analytic Rule
- In the lower-left corner of the main screen, click the Administration cog.
The Administration menu appears on the left side. Under Analytics, click Rules.
The Rules list appears. By default, the rules are listed in alphabetical order. The table shows the following information for each rule:Column
Description
Rule Name The name of the rule. Enabled The state associated with each rule. A disabled rule shows the toggle in the left position. An enabled rule shows the toggle in the right position.
When the Administrator enables a rule, the analytics pipeline restarts and begins to use the rule. The restart may take a few minutes to occur.Rules can be enabled or disabled in a batch by checking the box next to each rule to be enabled or disabled, clicking the Actions menu next to the "x of y Selected" text, and then clicking either Enable Rules or Disable Rules.
Author The name of the Axon user who created the rule. Description The description of the rule operators. - To view the Rule Logic Page for an analytic rule, click the three-dot menu next to the rule name in the Rules Table, and then click Edit Rule.
The Rule Logic page includes a description of the rule operators and the rule logic.
Upload a Rule
In the upper-right corner of the Rules page, click the Action menu and select Upload Rule.
The Upload Rule Wizard appears.- Browse and select a JSON file from your browser.
- Click Upload Rule.
Rule Actions
The following options are available when clicking the three-dot menu to the left of a rule's name.
| Action | Description |
|---|---|
| Edit Rule | Click to open the Rule Logic Page. |
| Download | Click to download a JSON file containing the rule configuration. This file can be uploaded in different instances of Axon. |
| Show Output | Click to run a Search using the rule's parameters. |
Rule Logic Page
Clicking the Edit Rule option in the Rule Actions menu opens the Rule Logic page. This page displays some of the rule configuration settings created using the Rule Builder.
The actions menu at the top-right corner of the Rule Logic page contains the following options:
| Action | Description |
|---|---|
| Enable | Click to enable the rule. |
| Disable | Click to disable the rule. |
| Download | Click to download a JSON file containing the rule configuration. This file can be uploaded in different instances of Axon. |
| Revert | Click to revert any changes made to the rule. |
| Edit | Click to make changes to the rule. |
| Show Output | Click to run a Search using the rule's parameters. |
Subscribe to Observation Email Updates
You can sign up to receive notifications both in Axon and via email each time an Observation is triggered as a result of a rule firing.
For more information, see the Observation Alerts topic.