Event Rule actions allow an analyst to apply reactive actions to any Event that matches the criteria of the Rule's Reflex Query.
There are a number of actions that Event Rules can conduct when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged and moved into a case at the same time).
- Dismiss Event: select a dismiss reason and enter a dismiss comment to automatically dismiss Events that match this Rule
- Add Tags: apply additional tags to Events that match this rule
- Update Severity: change the severity of the Event that matches the Rule
- Create New Case: creates a new Case for every Event that matches the Rule
- Case Template: select a Case Template to apply when the new Case is created
- Merge into Case: merges Events that match the Rule into a Case
Event Rules are extremely useful for additional automation in your Reflex environment and have countless use cases. Below are a few examples:
- Dismiss all successful remote logins where the username is that of a known admin.
- Dismiss benign or known good values for particular Detections.
- Merge all Events generated by a particular Detection into a Case for client review.