Skip to main content
Skip table of contents

Create Alarm Rules for Known Logs

 You can create an alarm rule from any investigation results screen for a log that is forwarded as an Event.

The selected log must match a rule to incur an alarm. Creating an alarm on unmatched or unidentified logs results in an error.

  1. Run an Investigation.
  2. Click a log to select it, right-click it, and then click Create Alarm Rule.
  3. Respond to the Metadata and Global Rule prompts.
    The alarm is generated with settings that are based on the selected log as shown in this table:


    Alarm After

    1 occurrence


    • Common Event = True
    • MPERule = False
    • Origin Host = False
    • Impacted Host = False
    • Impacted Application = True if log has value, otherwise false
    • Origin Login = True if log has value, otherwise false

    Alarm Suppression

    30 minutes

    Event Criteria

    Common Event added

    Day/Time Criteria


    Log Source Criteria


    Traffic Filters


    Field Filters: Direction


    Field Filters: Login

    If log has value for Login, filter-in value

    Field Filters: Impacted Application

    If log has value for Known Impacted Application, filter in value.


    Add the person who created the alarm

    Alarm Rule Name

    Concatenate values for Common Event, Login, and Impacted Application

  4. Confirm or change the settings on all tabs.
  5. To save the alarm, click OK.
  6. Respond to the prompt to enable.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.