Creating rules involves defining the events the rule evaluates, thresholds, and actions you want the rule to trigger. Conditions define which events trigger the rule, thresholds determine when a condition is met and a correlation event is generated, and actions state what responses are taken when a correlation event is generated.
To define rule events and conditions, thresholds, and actions, begin by determining:
Which event occurrences do I want to be aware of? This determines what events this rule needs to monitor and the conditions to be tested.
How many times do I want the event or events to occur and within what time frame? This determines the rule's threshold.
What actions should automatically occur when an event is generated? When should those actions occur? This determines the rule's actions.
Before you create rules, determine which events you want to monitor. Be specific and as clear as possible. For example, monitoring all events from a Cisco Router would not be as useful as monitoring all denied events from that Cisco Router. In addition, the more conditions you add to a rule, the more specific the rule becomes. Use the ArcSight data fields to guide you in selecting and specifying conditions. For more information, see Data Fields.