Administration GuideAction AlertsCustomizing Queries for Action Alerts › Create a Query to Retrieve Only Severe Events

Previous Topic: Identify the Simple Filter for Severe Events

Next Topic: Customize Queries to Retrieve Only Severe Events

Create a Query to Retrieve Only Severe Events

You can create a query from scratch if you do not find a predefined query that retrieves the types of events you want to be notified about. Consider the following types of severe even types:

Category

Class

Action

Result

Security Level

Host Security

Antivirus Activity

Virus Quarantine

Failure

6

Host Security

IDS/IPS Activity

Signature Violation

Success

6

Network Security

Signature Violation Activity

Signature Violation

Success

6

Example: Create a query to retrieve only virus quarantine failures

Assume, for example, that you want to be notified of any virus quarantine failure. Perhaps the keyword quarantine does not appear in the query list. If such were the case, you can create the query you need and then schedule an alert that runs the query.

To create a query to retrieve virus quarantine failures

  1. Click Queries and Reports.
  2. Under Query List Options, select New.

    Query Design wizard appears with the Details step displayed.

  3. Enter a name.

    For example, enter Alert: Virus Quarantine Failure

  4. Enter a custom tag.

    For example, enter Virus Quarantine

  5. Click the Query Columns step and add the desired columns.
  6. Click the Query Filters step.
  7. Enter a simple filter based on the CEG entry for the event.

    For example, select Host Security for category, Antivirus Activity for Class, Virus Quarantine for action, and F for result.

    Enter Host Security, Antifvirus Activity, Virus Quarantine, F.

  8. Select the Result Conditions step and select Last 5 minutes from the Predefined Ranges drop-down, to ensure timely alerting.
  9. Click Save and Close.