Specifying Rule Conditions

Purpose:

To find events that match the rule condition statements; and if matching events are found:

1. Trigger the rule action(s).
2. Generate a correlation event.

Definition of terms:

• Base events are the events that match the rule's conditions. They are also called correlated events.
• Correlation event is a system-generated audit event that caused the rule to trigger.

Topics include:

• Creating Rule Conditions

• Adding Filter Conditions

• Adding Asset Conditions

• Adding Vulnerability Conditions

• Adding Active List (InActiveList) Conditions

• Creating Matching or Join Conditions

• Negating Event Conditions

• Optimizing the Evaluation of Event Conditions