In the Policies > Rules area, you can configure and activate a rule to automatically send you an email notification when a particular event occurs, so you can promptly take the appropriate action. You can create a rule based on any of the events logged to the Events page in the History area.
In the context of custom rules, there are two types of events:
During the rule creation process, you apply device level rules to your devices by selecting device groups.
You can combine events of the same event type into a single rule so that you're alerted if multiple events occur within a specified number of days.
To create a rule:
- Log in to the Absolute console as a user with Manage permissions for Rules.
- On the navigation bar, click > Rules.
- Click Create rule.
- Click Custom Rule.
- Click the title and edit the name of the rule.
- [Optional] Click Add description and enter a description for this rule.
- Enter the applicable event criteria by doing the following:
- Click the Select an event field and select an event from the list. Events with an icon allow you to select more specific data related to the parent event.
For example, you can select the following options under the Device user information updated event:
- User name
- If a second field shows, click the field and select one of the following conditions:
- is not
- does not contain
- is empty
- is not empty
- begins with
- ends with
- not between
- greater than
- greater than or equal to
- less than
- less than or equal to
NOTE The list of available conditions depends on the selected event.
- If a third field shows, enter a value. Note that values entered in this field are not validated. Ensure that you enter a value that is valid for the selected event.
NOTE The third field does not show if you select any of the following conditions: changed, is empty, or is not empty.
Rule event examples
To trigger the rule when ...
Select event ...
Select condition ...
Enter value ...
The domain of a device user changes from the expected value
Device user information updated > Domain
<expected domain name>
A device fails to be unenrolled
Device unenroll failed
The version of the device's operating system changes
Operating system updated > Version
NOTE The list of events is now filtered based on the type of event you selected in step 7. That is, if you selected a device level event, such as Volume removed, you can only add more device level events. Similarly, if you selected an account level event, such as Role created, you can only add more account level events.
To remove an address, click its "x" icon. To disable email notifications altogether, but still log an event to the History > Events page, remove all email addresses from the field. You may prefer this option if Absolute is integrated with a SIEM application. When you're done, click Close.
- If you're granted permissions to manage all devices, the Apply to setting is preset to All Active Devices. To make changes:
- Click Edit, and then click the field to select each device group you want to assign the rule to. To remove a device group that you've added in error, click its "x" icon. When you're done, click outside the field and click Close.
- If you want to exclude one or more device groups from the rule, select the Exclude device groups check box and click the field to select each device group you want to exclude. To remove a device group that you've added in error, click its "x" icon. When you're done, click outside the field and click Close.
- If you're granted permissions to manage the devices in single device group only, the Apply to setting is preset to your assigned device group. Go to the next step.
If you activated an account-level rule, it is applied to your account. If you activated a device-level rule, it is applied to the devices in the specified device groups. Going forward, when events occur that meet the criteria set in this rule, an email notification is sent to all specified recipients and a Rule triggered event is logged to the Events page in the History area.