Defining the "From Which Client?" Conditions

In the From Which Client? section of the Create Alert Rule page, you can define (or edit) the name or IP address of the client computer from which the suspicious activity occurred.

The From Which Client? conditions can be configured only for alert type rules.

To define the "From Which Client?" conditions

  1. Open the From Which Client? section by clicking or the Edit icon.

  2. To specify the client computer name or IP address that was used to connect to the monitored computers, select the required option, the relevant operator, and specify the required value(s) for each condition that you want to define, as described in the following table.

    When defining the values by which to evaluate the condition of an alert rule, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value. When Lists are supported, you can choose to select a predefined List instead of entering a set of values. You can use Lists to define values for both the Client name and Client IP address options. Note that the operator for the condition also depends on whether you are defining values or Lists; for example, "contains" in "Values mode" would be "contains value from the list" in List mode. For details, see Understanding the Logic for Defining Rule Conditions.

Options for Defining the "From Which Client?" Conditions

Field

Operator

Example

Client name

OITLAP, OITPC , LOCAL\LAPTOP

Client IP address

10.1.0.16, 10.1.2.100

Note: When alert rules are based on client IP address ranges, you can specify the IP address range using the CIDR notation format: aaa.bbb.ccc,ddd/N, where N in an integer between 0-32.
For example: 192.158.2.0/24

You can click the link Check CIDR syntax to check if your format is permitted.