You can create an alarm rule from any investigation results screen for a log that is forwarded as an Event.
The selected log must match a rule to incur an alarm. Creating an alarm on unmatched or unidentified logs results in an error.
- Run an Investigation.
- Click a log to select it, right-click it, and then click Create Alarm Rule.
Respond to the Metadata and Global Rule prompts.
The alarm is generated with settings that are based on the selected log as shown in this table:
- Common Event = True
- MPERule = False
- Origin Host = False
- Impacted Host = False
- Impacted Application = True if log has value, otherwise false
- Origin Login = True if log has value, otherwise false
Common Event added
Log Source Criteria
Field Filters: Direction
Field Filters: Login
If log has value for Login, filter-in value
Field Filters: Impacted Application
If log has value for Known Impacted Application, filter in value.
Add the person who created the alarm
Alarm Rule Name
Concatenate values for Common Event, Login, and Impacted Application
- Confirm or change the settings on all tabs.
- To save the alarm, click OK.
- Respond to the prompt to enable.