Creating custom rules

In the Policies > Rules area, you can configure and activate a rule to automatically send you an email notification when a particular event occurs, so you can promptly take the appropriate action. You can create a rule based on any of the events logged to the Events page in the History area.

In the context of custom rules, there are two types of events:

Event type

Examples

Device level

  • A disk is removed from a device
  • A device's OS build number changes
  • A Reach script fails to run on a device
  • etc.

During the rule creation process, you apply device level rules to your devices by selecting device groups.

Account level

  • An Application Persistence (AP) policy is deactivated
  • A user account is created
  • A smart device group is deleted
  • etc.

You can combine events of the same event type into a single rule so that you're alerted if multiple events occur within a specified number of days.

To create a rule:

  1. Log in to the Absolute console as a user with Manage permissions for Rules.
  2. On the navigation bar, click > Rules.
  3. Click Create rule.
  4. Click Custom Rule.
  5. Click the title and edit the name of the rule.
  6. [Optional] Click Add description and enter a description for this rule.
  7. Enter the applicable event criteria by doing the following:
    1. Click the Select an event field and select an event from the list. Events with an icon allow you to select more specific data related to the parent event.
    2. For example, you can select the following options under the Device user information updated event:

      • Domain
      • User name
    3. If a second field shows, click the field and select one of the following conditions:
    4. NOTE  The list of available conditions depends on the selected event.

      • changed
      • is
      • is not
      • contains
      • does not contain
      • is empty
      • is not empty
      • begins with
      • ends with
      • between
      • not between
      • greater than
      • greater than or equal to
      • less than
      • less than or equal to
    1. If a third field shows, enter a value. Note that values entered in this field are not validated. Ensure that you enter a value that is valid for the selected event.
    2. NOTE  The third field does not show if you select any of the following conditions: changed, is empty, or is not empty.

    Rule event examples

    To trigger the rule when ...

    Select event ...

    Select condition ...

    Enter value ...

    The domain of a device user changes from the expected value

    Device user information updated > Domain

    is not

    <expected domain name>

    A device fails to be unenrolled

    Device unenroll failed

    n/a

    n/a

    The version of the device's operating system changes

    Operating system updated > Version

    changed

    n/a

  8. To add a second event, click AND and specify the applicable criteria in the provided fields.
  9. NOTE  The list of events is now filtered based on the type of event you selected in step 7. That is, if you selected a device level event, such as Volume removed, you can only add more device level events. Similarly, if you selected an account level event, such as Role created, you can only add more account level events.

  10. Repeat step 8 for each event that you want to add. You can add up to 20 events.
  11. If you've added multiple events, a 7 days field now shows above the first event field. Click the field and select the maximum number of days within which the events must occur for the rule to be triggered. Options are 1 to 29 days. For example, if you want to be alerted only if all events occur within 2 days of each other, select 2 days.
  12. The Send email field is prepopulated with your email address. To send an email notification to other users, click Edit and enter the email addresses, pressing Enter after each address.

    To remove an address, click its "x" icon. To disable email notifications altogether, but still log an event to the History > Events page, remove all email addresses from the field. You may prefer this option if Absolute is integrated with a SIEM application. When you're done, click Close.

  13. If the Apply to section shows, you added one or more device level events. Do one of the following:
    • If you're granted permissions to manage all devices, the Apply to setting is preset to All Active Devices. To make changes:
      1. Click Edit, and then click the field to select each device group you want to assign the rule to. To remove a device group that you've added in error, click its "x" icon. When you're done, click outside the field and click Close.
      2. If you want to exclude one or more device groups from the rule, select the Exclude device groups check box and click the field to select each device group you want to exclude. To remove a device group that you've added in error, click its "x" icon. When you're done, click outside the field and click Close.
    • If you're granted permissions to manage the devices in single device group only, the Apply to setting is preset to your assigned device group. Go to the next step.
  14. To activate the rule now, leave the Active slider near the top of the page as is (green background). To activate it later, click the slider to turn it off (gray background).
  15. Click Save.
  16. If you activated an account-level rule, it is applied to your account. If you activated a device-level rule, it is applied to the devices in the specified device groups. Going forward, when events occur that meet the criteria set in this rule, an email notification is sent to all specified recipients and a Rule triggered event is logged to the Events page in the History area.