# Event-Rules **Event Rules** are utilized to automate both new and existing Events within the Case-Hub. Reflex Query Language (RQL) is used by Event Rules to identify and execute certain actions on matching events as they come through. All the created rules can be managed from the Event Rules page. ## Creating an Event Rule Event Rules can be created from the "Event Rules" page or directly from the "Event-Queue" page, here we will go through the steps for creating an Event Rule from the "Event-Queue" page: 1. Navigate to the **"Event Queue"** page from the dashboard, and identify the event for which you want to create an event rule. 2. Click the **"Blue Graph Icon"** located in the bottom left of the Event card underneath observables, this will open the rule creation wizard, pre-populated with the rule name for the selected event. 3. Enter details, and set **expiration** (if needed). 4. For the Event query, the system will auto-generate a default rule based on selected event observables, check the query, and make required adjustments to the rule. Note: Ensure the rule condition is properly tuned and has the fields you need. 5. Click **Test Rule** to test the Rule. 6. Determine **Event actions,** 7. Determine **Case actions** (choose between **New/Merge** case options), Note: choosing the "New-Case" option will create a new case for every event matched. 8. Determine **notifications** (if needed). 9. Review the **Event Rule** and click **Create** ## Editing an Event Rule To modify an Event Rule after creation, the following steps can be used: 1. Navigate to the **Event Rules** page from the **Dashboard** 2. Locate the Event Rule you wish to edit 3. Click **Manage -> Edit Rule** 4. Make required changes and **save** ## Disable an Event Rule To disable an Event Rule, the following steps can be used: 1. Navigate to the **Event Rules** page from the **Dashboard.** 2. Locate the Event Rule you wish to disable. 3. Click **Manage -> Disable Rule** (or) toggle the **Active switch** to **`NO`**while editing the rule, save. ## Event Rule Fields Following are the different fields you need to fill in while creating an event rule:

Fields	Details
Organization	Select the appropriate Organization from the list to apply the Rule to
Rule Name	Give the Rule a relevant name
Rule Descriptio	provide a description of the Rule and its purpose
Active	Rule is actively run against Events
Protected	Rule can only be edited and disabled by its creator
Run Retroactive	The rule runs retroactively when saved, meaning Case-Hub will attempt to match the Rule to any event that is in the `New` state
Global Rule	Exist in the Default Tenant and will apply to every tenant in the Case-Hub instance
Priority	Determines which Event Rules will be processed first. Rules with a lower-numbered priority will run first, whereas Rules with a high-priority number will run after.
Expire	The rule will automatically disable itself after `x` number of days (`1` is the default)
Query	Provide an RQL query to match events to this rule based on certain criteria
Number of Test Events	Reflex will fetch the last `x` number of events and compare this rule to them. Event Rules support retroactively testing them against the entire collection of Events in the system. This means that Case-Hub will attempt to test the Rule against all events in any state. Best Practices: Testing across a large set of events is time-consuming, it is recommended to fine-tune the testing criteria by selecting a relevant start and end date as well as adjusting the Number of test events to something reasonable (which is 1,000 Events by default). Note: In multi-tenant environments, if the Global Rule is switched to YES, then the test will be done across all tenants.
Start Time	Start of the search period to test the Rule against
End Time	End of the search period to test the Rule against
Include Results	This will present all matched Events in a new window

## Event Rule Actions There are a number of actions that Event Rules can perform when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged **and** moved into a case at the same time).

Event Actions	Details
Dismiss Event	select a dismiss reason and enter a dismiss comment to automatically dismiss Events that match this Rule
Add Tags	Apply additional tags to Events that match this rule
Update Severity	Change the severity of the Event that matches the Rule

Case Actions	Details
Create New Case	Creates a new Case for every Event that matches the Rule
Case Template	Select a Case Template to apply when the new Case is created
Merge into Case	Merges Events that match the Rule into a Case

## Examples Event Rules are extremely useful for additional automation in your Case-Hub environment and have countless use cases. Below are a few examples: * Dismiss all successful remote logins where the username is that of a known admin. * Dismiss benign or known good values for particular Detections. * Merge all Events generated by a particular Detection into a Case for client review. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.blusapphire.io/older-releases/09_casehub/event-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.