Purpose: Find an event, and if the specified asset is the source or target, generate a correlation event.
Assets are part of your network model as described in Modeling the Network.
To add an asset condition to a rule:
In the Rules resource tree, right-click a rule and choose Edit Rule.
In the Rules Editor, select the Conditions tab.
Click the And, Or, or Not button, or right-click a logical operator and choose New Logical Operator, then And, Or, or Not.
If there are existing conditions, you can tie them to the asset condition with either the AND, OR, or NOT logic operator. If AND is used, all the existing conditions and the asset condition must occur in the event. If OR is used, either the existing conditions or the asset condition must occur. If NOT is used, all but the asset condition must occur.
Select the logical operator and click the Assets button on the rule editor toolbar, or right-click the logical operator and select New Assets Condition.
In the Assets panel below, select Source Asset ID to monitor if an asset is the source of an event or Target Asset ID to monitor if an asset is the target.
Select an asset or group and click Apply.
The asset condition appears in the Correlate section and is tied to any existing condition statements with the logic operator selected.
On the Conditions tab, click OK.
See also Logical Operators, Condition Tree Command Buttons, Condition Tree Context Menu Commands, Common Conditions Editor (CCE), and Adding Conditions.