You can create event rules to generate alerts for tracking and remediation. Use team-based integrations in event rules to make sure that connector ownership and execution of rules give precedence to general rules. Teams can maintain consistency and hierarchy while offering flexibility and customization options.

Before you begin

Role required: evt_mgmt_admin

About this task

View the list of available event rules on the Event Rules page to determine whether you want to create or edit an event rule.
You can create rules that:
  • Transform information in events to populate specified alert field values and compose alert fields from various values.
  • Configure threshold rules that create or close alerts only when the incoming matching events exceed the specified threshold.
  • Bind alerts to CIs using CI identifiers.
Options to create the rule are:
  • Create an event rule and assign event fields for alert generation.
  • Create a rule from an existing event or group of events that don’t have a rule. In this case, the event fields are copied to the Event Match Fields section of the rule.
  • Edit an existing event rule.
  • For Team-based integrations, select an assignment group.

  • Run multiple sequential rules defined for the same event by selecting the Apply additional matching rules check box. The event rules run in ascending order as defined in the Order field. Event rules applied to assignment groups only run after the global rules have run.

You can refresh an existing event rule with new event data. For more information see, Refresh event rules.

Note:
  • Event rules that aren’t configured to perform any action are skipped. Therefore, if the rule isn’t configured as ignore, threshold, or binding, it’s important to specify either the match or the composed fields.
  • Make sure that you don’t change the Classification field value in event [em_event] tables, either manually, by script, or by event rule.

Procedure

  1. Navigate to All > Event Management > Rules > Event Rules and take one of the following actions.
    OptionDescription
    Create an event rule from an existing event
    1. Select the link for unassociated events or grouped events that aren’t mapped to the rules.
      Example wording of the link: "There are 2 recommended rules, created out of 7 unassociated events of the most recent 50000 events."
    2. Select the event that you want to use for creating the rule.

      The event fields are copied to the Event Field Rules section of the rule.
    Edit an existing event rule In the event rule list, select the required event rule to be modified. The event rule opens in the event rule designer where you can modify the values of the fields.
    Select Save and Upgrade Event Management save to modify the rule when the following banner message appears and you want to convert the event rule. 
    Rule cannot be viewed in the
          event rule designer. To modify the rule click 'Save and Upgrade'.
    Create an event rule Select New.
  2. Ensure that Active Active toggle is selected.
    When the rule is deactivated, Event Management finds and applies another event rule. An alert is still created for the event unless Ignore is selected in another applicable rule or when configuring the filter for this event rule.
  3. Enter a unique and meaningful name and fill in the form.
    Table 1. Event Rule Info form
    FieldDescription
    Source Category to which this matching rule applies. The mapping rule only applies to events with the same event class value. If this value is empty, apply the rule to all events.
    Order Order in which an event rule is evaluated when multiple rules are defined for the same type of event. Event rules are evaluated in ascending order.
    Description Type additional information that describes the event rule.
    Apply additional matching rules Select to apply additional event matching rules according to the Order field. The last rule with binding settings sets the CI binding. When selected, the Thresholds tab is inactive.
    Assignment group For team-based integrations, select an assignment group.

    If no assignment group is defined in the event rule, then this event rule is considered as a global rule.

    When the rules are running – first the global rules run and then the rules that belong to the assignment group that the event’s source instance belongs to.
  4. (Optional) Define the event rule using these Event Rule Designer features.
    OptionDescription
    Event Filter Define a filter to restrict to which events the event rule must apply. See Filter the events that an event rule applies to.
    Transform and compose alert output Configure the customization of alert content. See Configure an event rule to customize alert content.
    Threshold Create or close alerts according to the specified threshold. See Set a threshold to suppress alert generation.
    Binding Configure event rules to automatically bind alerts to CI information from the CMDB. See Binding alerts to CIs.
  5. Select Save, Submit, or Update.