This topic provides instructions to identify a rule, indicate if it is a trial rule and assign a severity level. When you add a new rule, the first information to provide is a unique name and description of what the rule detects. After you save the rule, this information is displayed in the Rule Library.
You must have permission to manage rules. See Role Permissions.
To name and describe a rule:
- In the Security Analytics menu, select Alerts > Configure > Rule
- In the Rule Library, select > Rule Builder.
The New Rule tab is displayed.
- Type a unique, descriptive name in the Rule Name field.
This name will appear in the Rule Library so be specific enough to distinguish the rule from others.
- In the Description field, explain which events the rule detects.
The beginning of this description will appear in the Rule Library
- By default, new rules are configured as a Trial Rule. A trial rule automatically disables the rule if all trial rules collectively exceed the memory threshold. If you are editing an existing rule, you can select Trial Rule to safely test the rule edits.
Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.
- For Severity, classify the rule as Low, Medium, High or Critical.