Creating a New Event Definition

You can edit all events, not only user-defined events. If you change a predefined event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy.,the result is saved as a new user defined event.

To create a new event definition:

1. From the Actions menu, select New Custom Event.

   The Event Definition Wizard opens.

2. For Create an event

   1. Select that is based on an existing event.

   2. Select an event that has equivalent properties to the event you want to create.

   3. Click Next.

3. Name the Event Definition.

4. Enter a Description.

5. Select a Severity level.

6. Click Next.

7. Set which of these options generates the event:

   • A single log - Frequently depicts an event, such as a log from a virus scanner that reports that a virus has been found.

   • Multiple logs - Required if the event can only be identified as a result of a combination of multiple logs, such as a High Connection Rate.

   Click Next.

8. Examine the products that can cause this event.

9. Select Next.

10. Optional: Edit the product filters:

    • If you added a product you can edit the filters for each product (Edit all product filters), or those of new products you added (Edit only newly selected product filters).

    • If you did not add other products, edit the filters of existing products (Yes) or skip this step (No, Leave the original files).

    Click Next.

11. Edit or add product filters for each log necessary in the Event Definition filter

    1. Select the Log field from the available Log Field list.

    2. Click Add to edit the filter.

    3. Make sure that the filter matches on All Conditions or Any Conditions.

    4. Double-click the Log field and select the values to use in the filter.

    Click Next.

12. When you defined the filters for each product, select values for these options to define how to process logs

    • Detect the event when at least__ logs occurred over a period of __ seconds contains the event thresholds that define the event. You can modify the event thresholds by altering the number of logs and/or the period of time that define the event.

    • Each event definition may have multiple Event Candidates existing simultaneously allows you to set whether SmartEvent creates distinct Event Candidates based on a field (or set of fields) that you select below.

      Select the field(s) by which distinct Event Candidates will be created allows you to set the field (or set of fields) that are used to differentiate between Event Candidates.

    • Use unique values of the __ field when counting logs directs SmartEvent to count unique values of the specified field when determining whether the Event Threshold has been surpassed. When this property is not selected, SmartEvent counts the total number of logs received.

13. Click Finish.