Anatomy of a rule

The most basic parts of a rule are the event selection, the grouping key, the time window for stateful rules, the rule response, the activation interval, and the life cycle actions. A rule also includes expressions and variables. An expression is code that contains custom logic that can be added to a rule.

Event selection

Event selection criteria determine which events are accepted for processing by the rule. The <eventSelector> element defines the event selection criteria for a rule. Event selection applies to all rules except those that are defined by the timer pattern. Because the timer rule does not process events, it does not contain event selection criteria.

Grouping key

Typically, each active rule has one rule instance, or copy, that is running in the Active Correlation Technology engine. However, sometimes the same rule is needed for different groups of events, which are often related to different groups of resources. The grouping key is a method for directing a rule to create a separate rule instance (or copy of itself) for each group of events that share common characteristics.

The grouping key serves as an additional form of event selection. If a rule is defined with a grouping key, and the rule receives an event with the characteristic that is defined by the grouping key, the event is sent to the rule instance that is processing the events that share that characteristic. For example, you can define a rule that collects all security events of type Audit Failure and define the grouping key to be the hostname attribute of an event. The rule can now be used multiple times, with a separate copy of the rule running for each unique value of the hostname attribute. You can also monitor all systems that receive the Audit Failure event to determine if more than 10 such events occur in a time period of 2 minutes for each host name.

The <groupingKey> element defines the grouping key for a rule, and it is valid for rules that are defined by the collection, computation, duplicate, sequence, and threshold patterns.

Time window for stateful rules

Because stateful rules correlate multiple events that occur during a specific time period, a basic part of a stateful rule is the time window, which is defined by the <timeWindow> element. The time window specifies the time period during which the stateful rule is processing to match its pattern.

Rule response

Rule response actions define the actions to take when the rule completes its processing. Each of the following language elements defines a different type of rule response action:
  • <action> within <onDetection>
  • <action> within <onNextEvent>
  • <action> within <onTimeOut>
  • <action> within <onTimeWindowComplete>
The types of rule response actions that are available to a rule are dependent on the rule pattern.

Activation interval

The activation interval defines when a rule is active and inactive. The <activationInterval> element defines the activation interval for a rule.

A rule can be activated or deactivated at a discrete point in time or by a specific event.

If you specify that a rule is to be activated, or deactivated, at a discrete point in time and by a specific event, the rule is activated, or deactivated, by whichever occurs first, the point in time or the receipt of the event. However, in this case, the rule might be activated or deactivated by many events throughout its life cycle. For example, a rule might be activated by an event, deactivated, activated at a defined point in time, deactivated again, and activated by another event.

The <activationByGroupingKey> element is one element that is contained within the <activationInterval> element. The <activationByGroupingKey> element contains elements that specify the events that can activate and deactivate a rule instance that is defined by the <groupingKey> element.

Life cycle actions

The life cycle actions define the actions to take at the following four primary stages in the life cycle of a rule: load, activation, deactivation, and unload.

The <lifeCycleActions> element contains the following elements that define these actions:
  • <action> within <onLoad>
  • <action> within <onActivation>
  • <action> within <onDeactivation>
  • <action> within <onUnload>