Working with rules

Create rules to enable auto-labeling and get notified of events of concern.

Create a new rule

Rules can only be applied to a single monitor. An event that has already been reported will not be labeled by a newly created rule.

  1. Select Rules from the Integrity Monitor menu.
  2. On the Rules page, click Create Rule.
  3. In the Summary section, enter a Rule Name and Rule Description.
  4. In the Rule Criteria sections, select a filter field and operator from the drop-down lists and enter the criteria. Click the icon to add criteria.
  5. Click Apply.
  6. In the Labels section, select the Monitor to which you want to apply this rule and the Label you want to apply. Enter any optional Label Note.
  7. Click Save.

Once an event occurs that should be labeled, it may take an hour or more before it is labeled by a rule.

You can also import multiple rules from a CSV file.

  1. On the Rules page, click Import Rules.
  2. In the Import Rules window, click Choose File.

  3. Select the CSV file and click Open.

  4. Click Import. The imported rules will appear on the Rules page.

Example Tanium CSV file used to import rules

name,description,note,monitor_id,label_id,field,operator,value
app1 generated events,events generated by app1,CR12345,1,5,,,
,,,,,process,eq,C:/Program Files/app1/app1.exe
,,,,,file,contains,C:/Program Files/app1
rule 2 name,rule 2 description,rule 2 note,1,5,,,
,,,,,event_timestamp,gt,2018-06-01T06:00:00.000Z
,,,,,event_timestamp,lt,2018-07-01T06:00:00.000Z
,,,,,file,contains,C:/Program Files

One line defines a rule. This example contains blank name, description, note, monitor_id, and label_id fields, and defines all the filters for the rule. The filter processing for a rule is complete when the next rule line is detected.

This CSV example contains two rules. Rule 1 defines two filters that are connected with the AND operator.

Rule 2 defines three filters connected with the AND operator.

Deactivate a rule

If you no longer want a rule to run, you can deactivate it. On the Rules page, select the rule you want to deactivate and click Deactivate; confirm deactivation. Deactivating a rule does not delete any existing labels that rule applied

If you wish to reactivate the rule, you must clone it and save it.

Clone a rule

You cannot directly edit a rule due to auditing restrictions; however, you can accomplished a similar result by cloning and then deactivating an existing rule.

  1. On the Rules page, select the rule you want to clone and click Clone.
  2. On the Create Rule page, fields are pre-populated with information from the rule you cloned with the Rule Name followed by cloned [date and time].
  3. Make any necessary edits to the rule and click Save.

Delete a rule

To delete a rule, on the Rules page, select the rule and click Delete; confirm deletion.

If you delete a rule, you also delete all labeled events associated with that rule.

Last updated: 10/23/2018 2:42 PM | Feedback