How event management policies work
All event management policies must include the following components:
- Event selector
- Process(es)
- Timeframe(s)
- Evaluation order
Each event management policy defines selection criteria that is applied to incoming events to determine which events are processed. A timeframe determines when the policy is active or inactive. The evaluation order determines which policies are implemented first if there is a conflict.
In addition to these components, dynamic enrichment policies also require a dynamic enrichment source file, for more information about how dynamic enrichment policies interact with dynamic enrichment source files, see How-dynamic-enrichment-event-management-policies-work.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*