Default language.

Defining event policies for enrichment, correlation, notification, and suppression

As an administrator, use event policies to process events and set up routine actions for event management quickly and easily. With these policies, you can define actions that must be run when events with specific conditions are generated. Event policies process only incoming events.

Use event polices to perform the following actions to identify actionable events:

  • Refine event information by performing event enrichment.
  • Establish event relationships by correlating events.
  • Filtering unwanted events by suppressing events.
  • Generate event based notifications based on certain conditions.

We do not recommend that you use event policies to process existing events. For example, processing events that are 7 days old.

Related topics

Collecting-data

Monitoring-and-managing-events

Each event policy consists of the following details:

  • The basic policy information such as the name, description, and precedence.
  • An event selection criteria, which is the first filter based on which incoming events are selected for further processing.
  • A time frame for the policy to be active.
  • A built-in evaluation order for the different types of event policies configured.
  • The configuration settings that define actions to determine how the events must be processed. 

Except the evaluation order, you can configure these details while configuring an event policy. 

Event enrichment and correlation

Event notification and suppression

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*