- Select Single Match if you want the system to generate an alert each time the system detects an event matching your search query.
- Select Time-Window Count Match when you want to generate alerts based on the number of events returned by the search query in a fixed time interval. For example, an alert will be sent when three matching events are found within 15 minutes window.
- Select Time-Window Scheduled Match when you want to generate alerts for matching events that occurred during a scheduled time. The rule will be triggered only when an event matching your search criteria is found during the time specified in the schedule. Choose a date and time range for creating a schedule and specify how often you want to run the schedule for example, daily, weekly and monthly. For example, send daily alerts with all matches in a scheduled window between 4 pm and 5 pm.
For the Weekly option, select the days of the week on which schedule will run. For example, send weekly alerts with all matches generated between 4.56 pm and 5.56 pm on every Monday and Wednesday.
For the Monthly option, specify the day of the month on which the schedule will run. For example, send monthly alerts on the first day of every month.
For “Select Time-Window Count Match” and “Select Time-Window Scheduled Match”, you have the option to aggregate the alerts by aggregate groups such as based on action, asset host name and so on.