Open topic with navigation

Creating or Editing Rules

Before creating rules, determine which events you want to monitor. Be as specific and as clear as possible. For example, monitoring all events from a Cisco Router would not be as useful as monitoring all denied events from that Cisco Router. In addition, the more conditions you add to a rule, the more specific the rule becomes.

Use the ArcSight data fields to guide you in selecting and specifying conditions.

Caution: If you are editing a standard rule because you want to change its rule type, follow the instructions in Converting Rule Types.

Where: Navigator > Resources > Rules

To create or edit a rule:

  1. If you are creating a rule, right-click a group and select New Rule | <Rule Type>. See Rule Types for guidelines on rule types.

    If you are editing a rule, right-click the rule and select Edit Rule.

  2. On the Attributes tab, enter or change the name in the Name text field.

    The name is restricted to 25 characters. Be as descriptive as possible. The name is stored in the Event Name data field and appears in the Event Name column on the grid view.

  3. Entering data in the Common and Assign sections is optional, depending on how your environment is configured. For information about the Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups and Creation Information, see Common Resource Attribute Fields.

  4. Required: Define conditions on the Conditions tab following instructions in Specifying Rule Conditions. You cannot save the rule without specifying conditions. Non-standard rules have restrictions (see Rule Types for details).

    To view the full conditions for the MatchesFilter operator, click the Summary tab and then click the Expand Filter button to display the filter conditions for debugging.

    Note that in this case, the display of the MatchesFilter full logic does not display the sub-filter of the matched filter. Full logic is displayed only for the first level of matched filter conditions.

  5. For standard rules, add correlating events, specify thresholds and time windows to qualify events, and aggregate incoming event data based on matching fields on the Aggregation tab. See Specifying Rule Thresholds and Aggregation.

    Note: The Aggregation tab is enabled for standard rules only.

  6. Optional: To add information in the Notes tab, refer to Using Notes.

  7. Click OK.