Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > How to create a custom rule for LEM

How to create a custom rule for LEM

Table of contents

Updated 11/30/2017

Overview

This document will help you create a custom rule for the Log and Event Manager (LEM).

Environment

  • All versions of LEM

Steps

  1. Perform an nDepth search looking for the type of event for which you want a custom rule. 
  2. Write down or screen capture the nDepth search and the fields you would want to have in an email when your rule is triggered. Example: Event Info, Detection IP, Extraneous Info, Source Account, etc.
  3. Build the Email (optional):
    1. Go to Build > Groups.
    2. On the Left side of the screen, change the filter type from All to Email. 
    3. Choose an email that closely resembles what you are looking for, or click the plus symbol in the upper right and choose Email Template. 
    4. Name your Email Template. Best practice would be to name your template the same as the rule you are creating.
    5. In the Subject line, enter the rule name. When the rule fires, you know which one is firing right away.
    6. Add your fields
      1. Lower left, enter the field names you are looking for. This is best done by using the field names instead of creating your own.
      2. Click the plus sign to save the field.
      3. Add additional fields the same way until you have what you want. 
    7. In the body of the email put the name of one field. Then end with a colon and a space. Example: "Event Info: "
    8. Move the event from the left side to the body by clicking on it, dragging, and dropping.
    9. Repeat steps "h" and "i" for all event fields you want to have in the template.
    10. Save the email template
  4. Create the rule:
    1. Go to Build > Rules.
    2. Click the plus symbol in the upper right corner of the window.
    3. Name your rule. Best practice is to name the rule with what you are firing the rule on. Example: "User Login After Hours".
    4. Provide a brief description stating what this rule accomplishes.
    5. Recreate your nDepth search that gave you the event you are looking for. 
    6. Select Actions.
    7. Select Send Email. 
    8. Choose the template you previously created
    9. Select the recipients. This assumes you have already added an email address to the Users, and created the Email Active Response Connector
    10. Fill out the fields for the email by clicking, dragging, and dropping the fields you need from the Event to the email field with the corresponding name. 
    11. At the top middle of the rule, put a check mark in Enable and test.
    12. Click Save.
    13. Click Activate Rules in the upper Right of the window. 
  5. Test your rule:
    1. Perform the action that would cause your Rule to trigger.
    2. Go to Monitor > Overview > Rule Activity.
    3. If your rule fired the desired amount of times:
      1. Go to Build > Rules > Edit your rule > remove the check mark from Test.
      2. Save the Rule.
      3. Click Activate Rules.
    4. If your rule didn't do anything:
      1. Check your nDepth search for the exact criteria you built your Rule upon. 
      2. If nothing shows, you need to adjust your criteria to match those for which you are looking. 
      3. Modify your Rule to match the nDepth search. 
      4. Test again until it works correctly. 

 

 

 

Last modified

Tags

Classifications

Public