To create a rule, go to Responses > Rule Manager > New Rule. You can also create rules from the customized queries that are used for widgets on your dashboard. Select the Widget menu and choose “Create Rule from this Widget”. This option is also available on the Hunting page. Go to the Hunting tab, select an event filter in the left pane or type a search query in the search bar and then select “Create Alert Rule from Search Query” from the Actions menu on the top right.
Provide required details in the respective sections to create a new rule:
- In the Rule Information section, provide a name and description of the new rule in the Rule Name and Description.
- In the Rule Query section, specify a query for the rule. The system uses this query to search for events. Use the Test Query button to test your query. Click Sample Queries link to select from predefined queries.
- In the Trigger Criteria section, choose from three trigger criteria that work in conjunction with the rule query. The trigger criteria are: Single Match, Time-Window Count Match and Time-Window Scheduled Match. See Trigger Criteria.
- In the Action Settings section, choose the actions that you want the system to perform when an alert is triggered.
