How to customize events processing rules

Processing rules present information about event logs. They can help you identify and categorize events and trigger alerts or other actions for some of them. You will need to know how the rules work to master and configure them correctly:

  • Once defined, rules need to be manually assigned to event sources .
  • Rules have priorities (the order in which they are evaluated).
  • When an event is collected from a source, each rule assigned to that event source is evaluated against that event in order of priority.
  • When an event matches a rule, the actions of that rule are triggered and no additional rules will be evaluated for that event.

See this short video to familiarize yourself with these rules:

Try out some of these rules:

  1. Go to Configuration > Event Processing Rules tab.
  2. Create a new folder (for example: My rule folder) and create a new rule set (for example: My rule set) within that folder.
  3. Add a new rule to the rule set (for example: Rule One) that applies to Windows Security events with a specific event ID.
  4. Set the rule to classify the matching events as High.
  5. Create another rule called Rule Two with the same filter as Rule One; however, set this one to classify the events as Medium.

Assign these rules to your local machine:

  1. Go to Configuration> Event Sources tab.
  2. Choose the All event sources node from the tree and locate your local machine
  3. Open the machine Properties and go to the Windows event log.
  4. Uncheck the Inherit Settings option and add Security Log to the log list. Choose Process using these Rule Sets and check My rule folder.

NOTE

Wait until more events are generated and check the browser. You should see that all the events with the event ID you specified in the rule definition have triggered Rule One.

  1. Go back to Rule configuration to change the priority of the rules.