5.4 Associating Actions to a Rule

You can configure one or more actions to a rule. The associated actions are executed when the rule fires.

  1. Log in to the Sentinel Main or SSDM Main interface.

  2. In the navigation panel, click Correlation.

  3. In the Correlation panel, click any rule to which you want to associate actions, then click .

    The Correlation Rule Builder is displayed.

  4. In the Actions panel, click to associate one or more actions to the rule.

    The list of actions is displayed.

  5. Select the actions that you want to associate with the rule, then click OK.

  6. Click to define when the action should execute.

  7. Select one of the following:

    • Perform actions every time the rule fires: Sentinel creates a correlated event and executes the associated action each time the rule fires.

    • Perform actions at most every: Sentinel creates a correlated event and executes the action at most every specified time interval. By default, this option is selected and the time interval is set to 1 hour. This is to ensure that rule does not fire continually and over utilize resources. You can also define the maximum number of trigger events to be associated with the correlated event. For more information, see Configuring the Number of Trigger Events to be Associated with a Correlated Event in the Sentinel Administration Guide.

  8. Click OK.

  9. Click Save Rule.

NOTE:If you modified a deployed rule, you must redeploy the rule in the Correlation Engine for the changes to take effect. For information on deploying a rule, see Deploying Rules in the Correlation Engine.