Case-Hub Event Rules
Event Rules are utilized to automate both new and existing Events within the Case-Hub. Reflex Query Language (RQL) is used by Event Rules to identify and execute certain actions on matching events as they come through. All the created rules can be managed from the Event Rules page.
Event Rules can be created from the "Event Rules" page or directly from the "Event-Queue" page, here we will go through the steps for creating an Event Rule from the "Event-Queue" page:
- 1.Navigate to the "Event Queue" page from the dashboard, and identify the event for which you want to create an event rule.
- 2.Click the "Blue Graph Icon" located in the bottom left of the Event card underneath observables, this will open the rule creation wizard, pre-populated with the rule name for the selected event.
- 3.Enter details, and set expiration (if needed).
- 4.For the Event query, the system will auto-generate a default rule based on selected event observables, check the query, and make required adjustments to the rule.Note: Ensure the rule condition is properly tuned and has the fields you need.
- 5.Click Test Rule to test the Rule.
- 6.Determine Event actions,
- 7.Determine Case actions (choose between New/Merge case options),Note: choosing the "New-Case" option will create a new case for every event matched.
- 8.Determine notifications (if needed).
- 9.Review the Event Rule and click Create
To modify an Event Rule after creation, the following steps can be used:
- 1.Navigate to the Event Rules page from the Dashboard
- 2.Locate the Event Rule you wish to edit
- 3.Click Manage -> Edit Rule
- 4.Make required changes and save
To disable an Event Rule, the following steps can be used:
- 1.Navigate to the Event Rules page from the Dashboard.
- 2.Locate the Event Rule you wish to disable.
- 3.Click Manage -> Disable Rule (or) toggle the Active switch to
NOwhile editing the rule, save.
Following are the different fields you need to fill in while creating an event rule:
There are a number of actions that Event Rules can perform when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged and moved into a case at the same time).
Event Rules are extremely useful for additional automation in your Case-Hub environment and have countless use cases. Below are a few examples:
- Dismiss all successful remote logins where the username is that of a known admin.
- Dismiss benign or known good values for particular Detections.
- Merge all Events generated by a particular Detection into a Case for client review.