8.2 Configuring Rules

Identity Audit rules can be configured to filter events based on one or more of the searchable fields. For a list of the Identity Audit searchable event fields, see Table 6-1. Each rule can be associated with one or more of the configured actions.

8.2.1 Filter Criteria

Rules can be based on any searchable event field. For a list of these fields, see Table 6-1. The available operators depend on the data type of the event field. For example, match subnet is available for IP addresses, and match regex is available for text fields.

8.2.2 Adding a Rule

Administrators can add a filter-based rule and then define one or more channels to which to output the events that meet the rule criteria.

  1. Log into Identity Audit as an administrator.

  2. Click Rules in the upper right corner of the page.

  3. Click Add Rule.

  4. Specify a rule name.

  5. If you will create multiple conditions, select All to join the conditions with an AND operator. Select Any to join the conditions with an OR operator.

  6. Select the event field, the operator, and the value for the filter.

  7. Select an action that will be performed on every event that meets the filter criteria.

    The action details are based on the configuration information seen if you click the Configuration link.

  8. Configure additional actions, as desired.

  9. Click Save.

8.2.3 Ordering Rules

Because events are evaluated by rules in order until a match is made, you should order rules accordingly. More narrowly defined rules and more important rules should be placed at the beginning of the list. When there is more than one rule, rules can be reordered by using drag-and-drop.

To reorder rules:

  1. Log into Identity Audit as an administrator.

  2. Click Rules in the upper right corner of the page.

  3. Mouse over the icon to the left of the rule numbering to enable drag-and-drop. The cursor changes.

  4. Drag and drop the rule to the correct place in the ordered list.

8.2.4 Editing a Rule

Click the edit link beside the rule to change a rule definition.

8.2.5 Deleting a Rule

Click the remove link beside the rule to delete it. If there are already events in queue for an action or actions when you delete a rule, it might take some time to flush that queue after the rule is deactivated.

8.2.6 Activating or Deactivating a Rule

To the left of each rule, in a column headed On, is a check box to activate that rule. New rules are activated by default. If you deactivate a rule, incoming events are no longer evaluated according to that rule. If there are already events in queue for an action or actions, it might take some time to flush that queue after the rule is deactivated.