The Rule wizard helps you to quickly create the different types of rules.
To use the Rule Wizard to create rules:
Click Wizard > Rule Wizard to start the Rule wizard.
In the select Rule Type window, select the appropriate rule type, and then click Next. For more information about rule type see, Understanding Rules.
In the Rule Description window, provide a name for the rule, and then click Next.
In the Rule Name window, provide a descriptive name for the rule, and then click Next.
If you are using the Log_file_shrunk or modified_file rule, select either Names or Paths, and then click Next. Selecting Name causes the event detection and alerting process to monitor all files with a certain name. Selecting Paths causes the event detection and alerting process to monitor a specific file.
In the Name of File window, specify the name of the object you want to monitor and click Next. The name depends on the selected rule type, which might be a process executable, a command, a file name, or a fully-qualified path. For example, if you selected Paths while creating a modified_file rule, specify the full path, including the file name you want to monitor.
Provide the appropriate information for the action you want the rule to trigger in response to an event, and then click Next. All fields are optional. You do not need to select an action to create a rule. For more information about rules and actions see, Understanding Rules
Review the information provided about the rule group associated with your rule, and then click Next.
Specify the required information in the Rule wizard. The Rule wizard displays only the windows relevant to the event source you associated with the new rule. If the new rule is in a rule group that uses configurable event sources, the remaining windows offer you the ability to modify the configurable parameters. Read the provided descriptions and, if necessary, modify the parameters. If you are unsure about the correct values, retain the current values.
Click Finish.