Submit a ticketCall us

Announcing NPM 12.2
With NPM 12.2 you can monitor your Cisco ASA firewalls, to monitor VPN tunnels for basic visibility and troubleshooting tunnels. NPM 12.2 also uses the SolarWinds Orion Installer so you can easily install and upgrade one or more Orion Platform products simultaneously.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Rule Configuration Tables

Rule Configuration Tables

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 14, 2016

Views: 8 Votes: 0 Revisions: 4

Rule correlation table

The following table is for use with Rule Creation. It lists the possible rule configurations you can create in the rule window's Correlations box for each type of field.

  • The Left field column lists each type of field you can drag into the Correlations box's left field.
  • The Right field column lists the corresponding field types that you can drag into the Correlations box's right field.
  • The Operators columns list the types of comparisons you can make between left and right fields.

 

Operators

 

Left field

exists

not
exists

in

not
in

=

Not 
Equal

>

>=

<

<=

Right field

event

X X                  

event group

X X                  

text event field

        X X        

text event field

          X X        

text event group field

          X X        

text state variable field

          X X        

text constant

      X X            

directory service group

      X X            

connector profile

      X X            

user-defined group

time event field

            X X X X

time event field

              X X X X

time event group field

              X X X X

time state variable field

              X X X X

time constant

        X X          

time of day

number event field

                   

number event field

                     

number event group field

                     

number state variable field

                     

number constant

text event group field

        X X X X X X

text event field

          X          

text event group field

          X          

text state variable field

          X          

text constant

          X          

directory service group

          X          

connector profile

          X          

user-defined group

time event group field

            X X X X

time event field

              X X X X

time event group field

              X X X X

time state variable field

              X X X X

time constant

      X X            

time of day

number event group field

        X X X X X X

number event field

          X X X X X X

number event group field

          X X X X X X

number state variable field

          X X X X X X

number constant

text state variable

        X X        

text event field

          X X        

text event group field

          X X        

text state variable field

          X X        

text constant

      X X X X        

directory service group

      X X            

connector profile

      X X            

user-defined group

time state variable

            X X X X

time event field

              X X X X

time event group field

              X X X X

time state variable field

              X X X X

time constant

      X X            

time of day

number state variable

        X X X X X X

number event field

          X X X X X X

number event group field

          X X X X X X

number state variable field

          X X X X X X

number constant

text constant

    X X            

directory service group

      X X            

connector profile

      X X            

user-defined group

number constant

    X X            

directory service group

      X X            

connector profile

      X X            

user-defined group

time constant

    X X            

directory service group

      X X            

connector profile

      X X            

user-defined group

Compare values with operators

When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to rule's or filter's conditions.

When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to rule's or filter's conditions.

For example, an operator might state whether or not an event should be contained within or outside of an Time of Day Set; or it may state whether or not an event applies to a particular connector Profile.

Select a new operator

  • Click an operator to cycle through the various operators that are acceptable for the current condition.
  • Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use.

Operator tips

The following tips apply to operators:

  • When comparing two numeric values, the full range of mathematical operator options is available.
  • An IP address is treated as a string (or text) value. Therefore, operators are limited to "equal" and "not equal."
  • DateTime fields have a default value of "> Time Now", which means, greater than the current date and time.

Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations.

Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations.

Example Description
If x AND y AND z occur, report the event. If all of the conditions apply, report the event.
If x OR y OR z occurs, report the event. If any of the conditions apply, report the event.
If (x AND y) OR z occurs, report the event.

If conditions x and y occur, or if condition z occurs, report the event.

If (a AND b) OR (x AND y) OR (z), occurs, report the event.

In this case, you would create three groups, two nested within the third:

  • The nested groups are configured as (a AND b) and
    (x AND y), joined with an OR.
  • The outer group is configured as (z), surrounding the nested groups with an OR.
"Condition1" AND
"Condition2 AND Condition3" OR
"Condition4 AND Condition5."
In this example, the filter reports the event when it meets the following conditions:
Condition1 and Condition2 and Condition3, or
Condition1 and Condition4 and Condition5.

Accountable

The following table lists the various actions a Manager can take to respond to event events. These actions are configured in Respond form when you are initiating an active response, and in the rules window's Actions box when you are configuring a rule's automatic response.

The table's Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists the primary data fields that apply with each action. Some data fields will vary, depending on the options you select.

Action Description Fields
Add Domain User To Group This action adds a domain user to a specified user group that resides on a particular Agent.

Domain Controller Agent

Select the event field or constant that defines the Agent on which the group to be modified resides.

To modify a group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines the group that is to be modified.

Username

Select the event field or constant that defines the user who is to be added to the group.

Add Local User To Group This action adds a local user to a specified user group that resides on a particular Agent.

Agent

Select the event field or constant that defines the Agent on which the group to be modified resides.

To modify a group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines the group that is to be modified.

Username

Select the event field or constant that defines the user who is to be added to the group.

Add User-Defined Group Element

This action adds a new data element to a particular user-defined group.

User-Defined Group Element

From the User-Defined Groups list, select the User-Defined Group that is to receive the new data Element.

Value

Select the event field or constant that defines the data element that is to be added to the specified User-Defined Group. The fields will vary according to which User-Defined Group you select.

Append Text To File

This action appends text to a file. This allows you to data from an event and put it in a text file.

Agent

Select the event field or constant that defines the Agent on which the file to be appended is located.

File Path

Select the event field or constant that defines the path to the Agent file that is to be appended with text.

Text

Select the event field or constant that defines the text to be appended to file.

Block IP

This action blocks an IP address.

IP Address

Select the event field or constant that identifies the device's IP address.

Create User Account

This action creates a new user account on an Agent.

Agent

Select the event field or constant that defines the Agent on which the new user account is to be added.

To create a user account at the domain level, specify a domain controller as the Agent.

Account Name

Select the event field or constant that names the account that is to be created.

Account Password

Select the event field or constant that defines the password that is to be assigned to the new account.

Create User Group

This action creates a specified user group on an Agent.

A user group is a new group of Windows users on a Windows PC, server, or network who are external to the LEM system.

Agent

Select the event field or constant that defines the Agent on which the new user group is to reside.

To create a user group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines which user group is to be created.

Delete User Account

This action deletes a user account from an Agent.

Agent

Select the event field or constant that defines the Agent on which the user account is to be deleted.

To delete a user account at the domain level, specify a domain controller as the Agent.

Account Name

Select the event field or constant that names the account that is to be deleted.

Delete User Group

This action deletes a user group from a particular Agent.

Agent

Select the event field or constant that defines the Agent on which the user group to be deleted resides.

To delete a user group at the domain level, specify a domain controller as the Agent.

Group Name

Select the event field or constant that defines the user group that is to be deleted.

Detach USB Device

This action detaches a USB mass storage device that is connected to an Agent.

Agent

Select the event field or constant that defines the Agent from which the USB device is to be detached.

Device

Select the event field or constant that defines the device ID of the USB device that is to be detached.

Disable Domain
User Account

This action disables a Domain User Account on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be disabled.

Destination Account

Select the event field or constant that defines the account that is to be disabled.

Disable Local User Account

This action disables a local user account on an Agent.

Agent

Select the event field or constant that defines the Agent on which the local user is to be disabled.

Destination Account

Select the event field or constant that defines the account that is to be disabled.

Disable Networking

This action disables an Agent's network access.

The result is that the specified Agent will be unable to connect to the network.

Agent

Select the event field or constant that defines the Agent that is to be disabled from the network.

Message

Type the message that is to appear on the Agent.

Disable Windows
Machine Account

This action disables a Windows machine account that resides on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the account is to be disabled.

Destination Account

Select the event field or constant that specifies which Windows account is to be disabled.

Enable Domain User Account

This action enables a Domain User Account on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be enabled.

Destination Account

Select the event field or constant that defines the account that is to be enabled.

Enable Local
User Account

This action enables a local user account on an Agent.

Agent

Select the event field or constant that defines the Agent on which the local user is to be enabled.

Destination Account

Select the event field or constant that defines the account that is to be enabled.

Enable Windows
Machine Account

This action enables a Windows machine account that resides on a Domain Controller Agent.

Domain Controller Agent

Select the event field or constant that defines the Domain Controller Agent on which the account is to be enabled.

Destination Account

Select the event field or constant that specifies which Windows account is to be enabled.

Incident Event

This action escalates potential issues by creating an Incident Event.

Event

Select which Incident Event the rule is to create.

Event Fields

From the list pane, select the events and constants that define the appropriate data elements for each event fields The fields vary, depending on which Incident Event event is selected.

Infer Event

This action escalates potentially irregular audit traffic into security events by creating (or "inferring") a new event with a higher severity.

Event

Select which Event the rule is to infer.

Event Fields

From the list pane, select the events and constants that define the appropriate data elements for each event field. The fields vary, depending on the which event is selected.

Kill Process by ID

This action terminates the specified process on an Agent by using its process ID value.

Agent

Select the event field or constant that defines the Agent on which the process is to be terminated.

Process ID

Select the event field or constant that identifies the ID number of the process that is to be terminated.

Kill Process by Name

This action terminates the specified process on an Agent by referring to the process name.

Agent

Select the event field or constant that defines the Agent on which the process is to be terminated.

Process Name

Select the event field or constant that identifies the name of the process that is to be terminated.

Account Name

Select the event field or constant that identifies the name of the account that is running the process to be terminated.

Log Off User

This action logs the user off of an Agent.

Agent

Select the event field or constant that defines the Agent from which the user is to be logged off.

Account Name

Select the event field or constant that identifies the specific account name that is to be logged off.

Modify State Variable

This action modifies a state variable.

State Variable

From the State Variables list, drag the state variable that the rule is to modify.

State Variable Fields

From the appropriate component list, type or drag the data element that is to be modified in the state variable. The fields vary, depending on the which state variable is selected.

Remove Domain User From Group This action removes a domain user from a specified user group that resides on a particular Agent.

Domain Controller Agent

Select the event field or constant that defines the domain controller Agent on which the group to be modified resides.

Group Name

Select the event field or constant that defines the group that is to be modified.

User Name

Select the event field or constant that defines the user who is to be removed from the group.

Remove Local User From Group This action removes a local user from a specified user group that resides on a particular Agent.

Agent

Select the event field or constant that defines the Agent on which the group to be modified resides.

Group Name

Select the event field or constant that defines the group that is to be modified.

User Name

Select the event field or constant that defines the user who is to be removed from the group.

Remove User-Defined Group Element

This action removes a data element from a particular user-defined group.

User-Defined Group

From the User-Defined Groups list, select the user-defined group from which the specified data element is to be removed.

Value

Select the event field or constant that defines the data element that is to be removed from the specified user-defined group. The fields will vary according to which user-defined group you select.

Reset User Account Password

This action resets a user account password on a particular Agent.

Agent

Select the event field or constant that identifies the Agent on which the user password is to be reset.

To reset an account at the domain level, specify a domain controller as the Agent.

Account Name

Select the event field or constant that identifies the user account that is to be reset.

New Password

Select the event field or constant that defines the user's new password.

Restart Machine

This action reboots an Agent.

Agent

Select the event field or constant that identifies the Agent that is to be rebooted.

Delay (sec)

Type the time (in seconds) after the event occurs that the Manager is to wait before rebooting the Agent.

Restart Windows Service

This action restarts the specified Windows service on an Agent.

Agent

Select the event field or constant that identifies the Agent on which the Windows service will be restarted.

Service Name

Select the event field or constant that identifies the name of the service that is to be restarted.

Send Email Message

This action sends a preconfigured email message to a predetermined email distribution list.

Email Template

Select the template that the email message is to use.

Recipients

Click the check boxes to select which users are to receive the email message.

Email Fields

Either drag a field from the components list, or select a constant from the components list to select the appropriate data elements that are to appear in each email template field. The fields vary, depending on which email template is selected.

Send Popup Message

This action displays a pop-up message to an Agent.

Agent

Select the event field or constant that identifies the Agent that is to receive the pop-up message.

Account Name

Select the event field or constant that identifies the user account to receive the message.

Message

Select the event field or constant that defines the message that is to appear on the Agent's monitor.

Shutdown Machine

This action shuts down an Agent.

Agent

Select the event field or constant that identifies the Agent that is to be shut down.

Delay (sec)

Type the time (in seconds) after the event occurs that the Manager is to wait before shutting down the Agent.

Start Windows Service

This action starts the specified Windows service on an Agent.

Agent

Select the event field or constant that identifies the Agent on which the Windows service is to be started.

Service Name

Select the event field or constant that defines the Windows service that is to be started.

Stop Windows Service

This action stops the specified Windows service on an Agent.

Agent

Select the event field or constant that identifies the Agent on which the Windows service is to be stopped.

Service Name

Select the event field or constant that defines the Windows service that is to be stopped.

 

Last modified
07:43, 14 Sep 2016

Tags

Classifications

Public