|
Command |
Description |
Applies To |
|---|---|---|
|
New Condition |
Add a new condition statement below the selected element. Type the statement directly in the tree or choose a field from the pop-up menu. |
operator, event field |
|
New Logical Operator |
Add a new logical operator to the selected element. See Logical Operators. |
Event alias, operator, event field |
|
New Constant Condition |
Add a Boolean (True/False) AND operator to the selected branch. |
operator |
|
New "Matches Filter" Condition |
Use the Filter selector to identify a particular filter as a matching argument for a condition. See also Creating Matching or Join Conditions. |
operator, event field |
|
New "Assets" Condition |
Use the Assets selector to identify an asset or group as the argument for a condition. See also Adding Asset Conditions. |
operator, event field |
|
New "Has Vulnerability" Condition |
Use the Vulnerability selector to identify a vulnerability as the argument for a condition. See also Adding Vulnerability Conditions. |
operator, event field |
|
New "InActiveList" Condition |
Use the Active List selector to identify a particular active list that contains the argument for a condition. It is used to map a field or a global variable in the event schema to a corresponding field in an active list. It does not evaluate items in other non-event schemas (such as cases or assets). When the InActiveList condition is used to compare values in two lists, an additional option is shown where you can specify whether All values in list field must match. If this option is checked, the Active List condition evaluates to true only if all values in both lists match. If it is not selected, the condition evaluates to true if any field is in both lists. Note: The InActiveList operator option evaluates single-value attributes and multi-value attributes. The field you map could return multiple values. In the case of multi-value attributes, if any one value matches, the condition evaluates to true. Consider this scenario for multi-value attributes: An active list keeps track of actor roles where role values can be one of Normal, Restricted, or Privileged. You can test if an actor has one of these roles. If your list has a field called RoleName, you map the actor’s RoleName attribute to this field. Keep in mind that an actor’s RoleName attribute is multi-valued because an actor can have multiple roles. Through the InActiveList condition, you can have a query that checks if one of the actor’s roles is Privileged. A condition that tests for whether all or any values in a list match is only available to specify on queries and on in-memory operations such as rules, filters, and data monitors. |
operator, event field |
|
New "InCase" Condition |
Use the Cases resource tree to identify a particular case as the argument for a condition. For events, the condition checks if the event is part of a case's details. Note: The channel that uses a filter with the InCase condition is set to evaluate only once, therefore making the channel static. In this situation, if a rule subsequently adds an event to the case as you are viewing the case's events on the channel, the channel is not updated until you close, then re-open (refresh) the channel. See also: |
operator, event field |
|
New Event Definition |
Create and name a new event alias to add to the root. Note: This option applies only to Rules. |
root |
|
Change Operator |
Change the rule operator to And, Or, or Not. |
operator |
|
Set Global Expiration Time |
For rules, set the amount of time that qualifying events for all aliases are retained in memory for evaluation, based on Manager receipt-time. Setting an alias expiration overrides a global expiration, if present. See Specifying Rule Thresholds and Aggregation for more information. Note: This option applies only to Rules. |
root |
|
Align Nodes |
When selected, shows the hierarchical structure of event conditions. Note: This option applies only to Rules. |
root |
|
Edit |
Open a text box in which to change the selected element. |
operator, event field |
|
Undo |
Undo an action. |
all actions |
|
Redo |
Redo an action. |
all actions |
|
Cut |
Cut the selected elements of the condition tree to the Clipboard. |
root, event alias, operator, asset, event field |
|
Copy |
Copy the selected elements of the condition tree to the Clipboard. |
root, event alias, operator, asset, event field |
|
Paste |
Paste the conditional element currently on the Clipboard to the end of the selected element in the tree. |
root, event alias, operator, asset, event field |
|
Delete |
Delete the selected elements of the condition tree. |
event alias, operator, asset, event field |
|
Set Alias Expiration Time |
For rules, set the amount of time that a qualifying event for this alias (only) is retained in memory for evaluation, based on Manager receipt-time. See Specifying Rule Thresholds and Aggregation for more information. Note: This option applies only to Rules. |
event alias |
|
Consume After Match |
Use the event only once to fire a rule. Thereafter, additional joins with other event conditions are not performed within the rule’s time window. This setting is used to reduce the number of correlation alerts. By default, this setting is off. If disabled, an event matching a rule’s event condition alias stays in working memory and continues to combine with events that match other aliases, until the event itself expires within the time window. Note: This option applies only to Rules. |
joins |
|
Negated |
For rules, a way to monitor the non-occurrence of an event. See Negating Event Conditions for details on how to trigger rule actions based on negated events. Setting an event condition to Negated requires you to enter a timeout value. If the negated event is not sent from the device within this period, the rule is triggered. Note: This option becomes available if the rule has two or more event conditions. |
event condition alias |
|
Set Matching Time |
Sets the maximum time difference between the partially-matched aliases. Note: This option applies only to Rules. |
matching event operator |
|
Print Conditions and Tree Summary |
Prints the condition definition as shown on the Edit tab and the Summary statement. Selecting this menu option brings up a Print Preview dialog where you can view what will print, and set printer options. |
event alias, operator, asset |
|
Help |
Open the online Help system for information about the type of resource being edited. |
root, event alias, operator, asset, event field |