Defining Rule Details

When creating or editing alert or Linux prevent rules, you must first define the details of the rule.

This topic describes how to define the details for alert and prevent rules, including the alert frequency.

To define details for a new alert rule

  • In the Alert & Prevent Rules tab, click the New Alert Rule button.

    The Create Alert Rule page opens in which you can define the required details of the alert rule.

To define details for a new Linux prevent rule

  • In the Alert & Prevent Rules tab, click the New Linux Prevent Rule button.

    The Create Linux Prevent Rule page opens in which you can define the required details of the Linux prevent rule.

To edit the details of an existing alert or prevent rule

  • In the list of rules in the Manage Alert & Prevent Rules page (see Viewing Rules), select a rule that you want to edit.

    The Edit Alert/Linux Prevent Rule dialog box opens, showing the details of the selected rule some of which you can edit. For example:

System rules have limited editing capabilities. For details, see Creating and Editing Alert Rules.

In the Alert/Linux Prevent Rule Details area of the Create/Edit Alert/Linux Prevent Rule page, specify or edit the following details:

Field Description


The name of the rule. For example: "Suspicious Unix activity after working hours".

Note: When editing a System rule, you cannot change the rule name.


A description for the rule that explains its meaning or motivation.

For example: "Warn about irregular access to database servers and suspicious activity over the weekend."


The category to which the rule is associated. The rule can also be UNCATEGORIZED.

To change the category, click the Change hyperlink. A dialog box opens enabling you to select a different category. For details, see Managing Rules Categories.

Note: When editing a System rule, you cannot change its category.

OS Type

Select the operating system(s) for which you want to create/edit the rule - Windows/Mac, Unix, or Both (Windows/Mac and Unix).

Note: The OS Type parameter that you define affects the "Did What?" condition options that are available, and also the actions that you can configure to be taken when an alert is generated.

Note: If you creating or editing a prevention rule, the only available OS type is Unix.

Note: When editing a System rule, you cannot change its OS Type.

Notification Policy

Select a notification policy that defines who should receive email notifications when an alert from this rule is triggered, and how often. For example: "Daily digest for Division Managers".

To define the policy, click the icon. For details, see Defining Notification Policies for Alerts.

There is no default notification policy. New rules are created with no policy, which means that newly generated alerts will not trigger any email.


Select the status of the alert rule: Active or Inactive (no alert will be triggered for this rule).

Risk level

Select the risk level of the alert rule: Critical, High, Medium, or Low.

The default risk level for new rules is Medium.

The risk level of newly generated alerts is the risk level of the rule that triggered the alert (that is, this parameter).

Alert frequency

Select one of the following options to control how frequently the alert will be triggered:

  • Each time: (default) Allow alerts to be generated each time the defined criteria are met. For example, you might select this option to generate an alert each time that an unauthorized user accesses a specific sensitive file (such as, regedit.exe) during a session. The user risk score can be significantly affected by using this option.

    When Each time is the selected alert frequency, the alerts mechanism intelligently avoids generating alerts for every mouse click or keystroke in the same window. This also applies if you change focus to another window and then revert back to the window for which an alert was already generated.

  • Once per session: Prevents alerts from being generated more than once per user session. For example, you might select this option if you do not want to be alerted every time the user browses an illegal Website, but only once during a session.