Create Alarm Rules for Known Logs
You can create an alarm rule from any investigation results screen for a log that is forwarded as an Event.
The selected log must match a rule to incur an alarm. Creating an alarm on unmatched or unidentified logs results in an error.
- Run an Investigation.
- Click a log to select it, right-click it, and then click Create Alarm Rule.
Respond to the Metadata and Global Rule prompts.
The alarm is generated with settings that are based on the selected log as shown in this table:Setting Value Alarm After
1 occurrence
Grouping
- Common Event = True
- MPERule = False
- Origin Host = False
- Impacted Host = False
- Impacted Application = True if log has value, otherwise false
- Origin Login = True if log has value, otherwise false
Alarm Suppression
30 minutes
Event Criteria
Common Event added
Day/Time Criteria
None
Log Source Criteria
None
Traffic Filters
None
Field Filters: Direction
None
Field Filters: Login
If log has value for Login, filter-in value
Field Filters: Impacted Application
If log has value for Known Impacted Application, filter in value.
Notifications
Add the person who created the alarm
Alarm Rule Name
Concatenate values for Common Event, Login, and Impacted Application
- Confirm or change the settings on all tabs.
- To save the alarm, click OK.
- Respond to the prompt to enable.