Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > How to create a custom rule for LEM

How to create a custom rule for LEM

Table of contents

Updated: September 27, 2018

Overview

This document will help you create a custom rule for the Log and Event Manager (LEM).

Environment

  • All versions of LEM

Steps

  1. Perform an nDepth search looking for the type of event for which you want a custom rule. 
  2. Write down or screen capture the nDepth search and the fields you would want to have in an email when your rule is triggered. For example, Event Info, Detection IP, Extraneous Info, Source Account, etc.
  3. Build the Email (optional):
    1. On the LEM toolbar, navigate to Build > Groups.
    2. In the Refine Results pane, change the filter type from All to Email Template. 
    3. Choose an email that closely resembles what you are looking for, or click the plus icon in the upper right and choose Email Template. 
    4. Name your Email Template. A best practice would be to name your template the same as the rule you are creating.
    5. In the Subject line, enter the rule name. When the rule fires, you know which one is firing right away.
    6. Add your field names:
      1. In the lower left of the template, enter the field parameter names you are looking for. This is best done by using the field names instead of creating your own.
      2. To save the field parameter, click the plus sign.
      3. Continue to add additional fields, as needed.
    7. In the body of the email, enter the name of one field. Then end with a colon and a space. For example, Event Info: 
    8. Drag the event from the Parameters section on left side to the message body.
    9. Repeat steps h and i for all event fields you want to have in the template.
    10. Save the email template.
  4. Create the rule:
    1. On the LEM toolbar, navigate to Build > Rules.
    2. On the upper right corner of the window, click the plus icon.
    3. Name your rule. A best practice is to name the rule with what you are firing the rule on. Example: "User Login After Hours."
    4. Provide a brief description stating what this rule accomplishes.
    5. In Correlations, add your nDepth search variables that gave you the event you are looking for. 
    6. In the list pane, click Actions.
    7. Drag Send Email Message into the rule Actions box. 
    8. Choose the template you previously created.
    9. Select the recipients. This assumes you have already added an email address to the Users, and created the Email Active Response Connector
    10. At the top middle of the rule, select the Enable and Test check boxes.
    11. Click Save.
    12. Click Activate Rules in the upper Right of the window. 
  5. Test your rule:
    1. Perform the action that would cause your Rule to trigger.
    2. On the LEM toolbar, click Monitor.
    3. In the Filters pane, click Overview, and then select Rule Activity.
    4. If your rule fired the desired amount of times:
      1. On the LEM toolbar, navigate to Build > Rules.
      2. Next to your rule, click the gear icon, and then select Edit..
      3. Clear the Test check box.
      4. Save the Rule.
      5. Click Activate Rules.
    5. If your rule didn't fire:
      1. Check your nDepth search for the exact criteria you built your rule upon. 
      2. If nothing shows, adjust your criteria to match those to which you are looking. 
      3. Modify your rule to match the nDepth search. 
      4. Test again until it works correctly. 

 

 

 

Last modified

Tags

Classifications

Public