Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Trigger data items

To support the preceding construct, each trigger has specific data items configured on the Correlation > Triggers screen. Clicking AddNew or Edit on this screen allows you to specify or modify the following data items:

  • Trigger name—This is the name for the trigger. The name appears in the Match Trigger drop-down menu of the Threads and Actions screen. The trigger name is also the name of the global variable that is created for the system, as discussed further. Each trigger name must be unique and no longer than 15 characters.
  • Trigger set expression—This is a correlation match expression, as discussed in Simple-match-expressions and Advanced-expressions. The expression can consist of keywords, phrases, wildcards, logical, and comparison operators. When an incoming message matches this expression, the trigger is set.
  • Trigger clear expression—This is an optional field consisting of a correlation match expression that can be used to clear the trigger prior to the expiration time. When an incoming message matches this expression, and if the trigger sets, then the trigger is cleared and the internal trigger timer is reset.
  • Trigger expiration time—This field specifies, in seconds, how long the trigger will remain enabled before expiring. When the trigger is set, the internal trigger timer starts and continues until the clear expression is received. If this internal timer reaches its expiration time before a clear expression is received, the trigger is cleared. The time can range from 10 seconds to approximately 24 hours.
  • Trigger expiration severity—This is the severity of the internal message that is sent to BMC Defender Server should a trigger reach its expiration time before a clear message is received. By default, this value is disabled. The operator can assign some severity to this value in order to watch for events that do not happen, such as an invalid login that is not followed within two minutes by a valid login.
  • Retrigger flag—This special flag (either Yes or No) governs how the trigger behaves when it matches a message and the trigger is already set. The default value is Yes, to retrigger the trigger. If the trigger is already set, and a message matches the trigger set expression, then the internal expiration timer is restarted. Otherwise, the internal expiration timer continues and the trigger ignores this second message.

When BMC Defender Server receives any message, the message content is compared to each trigger specified on the system. This occurs before checking any Threads or Actions on the system. If the message matches any of the trigger Set expressions, that trigger state is set, and the expiration timer starts. If the message matches any of the trigger clear expressions, that trigger state is cleared, and the expiration timer is reset. 

Each second, the BMC Defender Server system checks the timers of all currently set triggers. Any trigger that is set, and has expired, is cleared. Therefore, if no explicit clear expression is specified, the trigger eventually expires and clears itself.

Related topic

Using-correlation-triggers

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*