Skip to content

Actions

Event Rule actions allow an analyst to apply reactive actions to any Event that matches the criteria of the Rule's Reflex Query.

Supported Actions

There are a number of actions that Event Rules can conduct when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged and moved into a case at the same time).

Event Actions

  • Dismiss Event: select a dismiss reason and enter a dismiss comment to automatically dismiss Events that match this Rule
  • Add Tags: apply additional tags to Events that match this rule
  • Update Severity: change the severity of the Event that matches the Rule

Case Actions

  • Create New Case: creates a new Case for every Event that matches the Rule
  • Case Template: select a Case Template to apply when the new Case is created
  • Merge into Case: merges Events that match the Rule into a Case

Examples

Event Rules are extremely useful for additional automation in your Reflex environment and have countless use cases. Below are a few examples:

  • Dismiss all successful remote logins where the username is that of a known admin.
  • Dismiss benign or known good values for particular Detections.
  • Merge all Events generated by a particular Detection into a Case for client review.