Rule Actions Best Practices

For rule actions, consider the following factors:

Action sequence

Add actions in the order in which you want them to be executed. For example, to set a static value in an active list, first add the action, Set Event Field; then add the action, Add to Active List.

The Editor does not always match the internal representation of the specified order of rule actions. However, if you add rule actions in the proper order, that order is maintained internally.

Actions added to a rule show up the first time in the order you add them. You can continue to modify these and they show up in this order. After you click Apply, the display reorders the actions so that Add to Active List shows up first even though the internal representation has not been modified. Even so, rule actions continue to work as expected unless you change the order. For example, if you delete the Set Event Field action then add it back in after Add to Active List action is already configured, the rule actions are mis-ordered and do not trigger as expected.

Rule actions for lightweight and pre-persistence rules

If you are creating or editing a lightweight rule, the rule can only act on active and session lists. If you are creating or editing a pre-persistence rule, the only available action is to set an event field.
Use of velocity expressions in rule actions involving lists
You can use references to Velocity Templates as parameters for rule actions to derive values from event fields and variables. (For additional details, see Velocity Templates.)

If you are using velocity expressions to derive values from variables and your rule is acting on an active or session list, perform these extra steps in conjunction with your action:

Aggregate over the fields of interest on the rule’s Aggregation tab.
Use the Set Event Field action to set unused fields to the fields you specified for aggregation. Start with the $ symbol followed by the exact name of the variable but without any special characters like spaces and dots. For example, if the variable is ActorByAccountID.Last Name, you may use something like:
```
$ActorByAccountIDLast_Name
```

Continue by specifying the list to be acted on by the rule.

Note: Duplicate rule actions after a crash recovery:

If you stop ESM, it takes a checkpoint of the rules engine so that it knows what actions have been performed and where it stopped. If ESM crashes in such a way that it cannot take a checkpoint (during a power failure, for example), it returns to the last checkpoint when ESM restarts, and replays events from there. Any actions that occurred between that checkpoint and the ESM crash are therefore repeated. Repeated actions that generate audit events generate duplicate audit events.

You should investigate repeated actions that do not duplicate well. For example, if an action adds an item to an Active List, that item’s counter will be incremented. If the action runs a command, it will run the command again, and so on.