Creating custom rules
In the Policies > Rules area, you can configure and activate a rule to automatically send you an email notification when a particular event occurs, so you can promptly take the appropriate action. You can create a rule based on any of the events logged to the Events page in the History area.
In the context of custom rules, there are two types of events:
You can combine events of the same event type into a single rule so that you're alerted if multiple events occur within a specified number of days.
NOTE Email notifications may be delayed depending on the connection status of the device. If a device is offline when a device-level event occurs, the rule is not triggered until the device comes back online and checks in to the Absolute Monitoring Center.
To learn more about using rules to monitor events, visit the Learning Hub. To access the Learning Hub, click on the quick access toolbar and then click Resources > Learning Hub.
To create a rule:
- Log in to the Secure Endpoint Console as a user with Manage permissions for Rules.
- On the navigation bar, click Policies > Rules.
- Click Create rule and click Custom Rule.
- Click the title and enter a name for the rule.
- [Optional] Click Add description and enter a description for this rule.
-
Enter the applicable event criteria by doing the following:
-
Click the Select an event field and select an event from the list. Events with an icon allow you to select more specific data related to the event.
For example, you can select the following options under the Device user information updated event:
- Domain
- User name
-
If a second field shows, click the field and select one of the following conditions:
NOTE The list of available conditions depends on the selected event.
- changed
- is
- is not
- contains
- does not contain
- is empty
- is not empty
- begins with
- ends with
- between
- not between
- greater than
- greater than or equal to
- less than
- less than or equal to
-
If a third field shows, enter a value. Note that values entered in this field are not validated. Ensure that you enter a value that is valid for the selected event.
Note that if you selected the is or contains condition in the previous step, you can enter multiple values in the field. Press Enter after each value. In this case, the event will be triggered when any of the values are included in the event record. See the example below.
NOTE The third field does not show if you select any of the following conditions: changed, is empty, or is not empty.
Rule event examples
-
-
To add a second event, click AND and specify the applicable criteria in the provided fields.
NOTE The list of events is now filtered based on the type of event you selected in step 7. That is, if you selected a device level event, such as Volume removed, you can only add more device level events. Similarly, if you selected an account level event, such as Role created, you can only add more account level events. To reset the event list so all events are listed, click the icon next to the first event.
- Repeat the previous step for each event that you want to add. You can add up to 20 events.
- If you've added multiple events, a 7 days field now shows above the first event field. Click the field and select the maximum number of days within which the events must occur for the rule to be triggered. Options are 1 to 29 days. For example, if you want to be alerted only if all events occur within 2 days of each other, select 2 days.
-
The Send email field is prepopulated with your email address. Do one of the following:
-
To send email notifications to other users:
-
Click Edit and click the field to open a selection list of email addresses associated with your account.
-
Begin entering each email address and then select it from the list. To send alerts to individuals that are not console users, enter their full email address, pressing Enter after each one. To remove an address, click its icon. When you're done, click Close.
-
-
To disable email notifications entirely, click Edit and remove all email addresses from the field. When you're done, click Close.
NOTE When the rule is triggered, an event is logged to the Events page in the History area, but no emails are sent. You may prefer this option if Absolute is integrated with a SIEM application.
-
-
If the Apply to section shows, you added one or more device level events. Do one of the following:
-
If you're granted permissions to manage all devices, the Apply to setting is preset to All Active Devices. To make changes, click Edit and do one of the following:
- Click the field to remove All Active Devices and select each device group you want to assign the rule to. To remove a device group, click its "x" icon. When you're done, click outside the field and click Close.
- To apply the rule to all active devices, but exclude one or more device groups, select the Exclude device groups check box and click the field to select each device group you want to exclude. To remove a device group that you added, click its "x" icon. When you're done, click outside the field and click Close.
- If you're granted permissions to manage the devices in single device group only, the Apply to setting is preset to your assigned device group. Go to the next step.
-
- To activate the rule now, leave the slider near the top of the page set to On (green). To activate it later, click the slider to turn it Off (gray).
- Click Save.
The rule is created, and a Rule created event is logged to Event History.
If you activated an account-level rule, it is applied to your account. If you activated a device-level rule, it is applied to the devices in the specified device groups. Going forward, when events occur that meet the criteria set in this rule, an email notification is sent to all specified recipients and a Rule triggered event is logged to the Events page in the History area.