Administration Guide › Action Alerts › Working with CA IT PAM Event/Alert Output Processes › Design Queries for Events to Send to the Event/Alert Output Process

Design Queries for Events to Send to the Event/Alert Output Process

After you set up CA IT PAM integration, you can take the first step toward scheduling alerts that generate event/alert output--that of compiling a list of queries on which the alerts are to be based. These are typically queries for events that suggest a policy violation. You can take a combination of several approaches:

• Analyze currently scheduled alerts to identify any that should run the event/alert output process. For example, if the event/alert output process notifies a help desk application, you identify alerts that should open a help desk ticket.
• Analyze your policies to identify those where a violation could be traced back to a logged event, then create a query for such an event.
• Examine the results of other predefined queries to identify data that a third-party product, such as a help desk product, could use to take remedial action.
• If your CA IT PAM event/alert output process creates tickets in a third-party help desk product, review typical types of help desk tickets for causes that could be captured as event logs.

To identify or design queries on which to base alerts that run the CA IT PAM event/alert output process

1. For each event type requiring a help desk ticket, identify, modify, or create one or more queries that capture data for such an event.
   • Identify each predefined query that collects events on such conditions.
   • If a predefined query requires customization, copy the query and then tailor the copy to your needs.
   • If no predefined query exists to collect a particular type of event that requires help desk notification, create the query or queries you need.
2. For any query that is to search for an IT event where one of its fields can have any of several known values, use a predefined keyed list, customize a keyed list, or create a new keyed list. If the values for such a key exist in a csv file, import it. For a list generated by an IT PAM process, configure that process as the Dynamic Values process, create the key and then import the values from CA IT PAM.
3. Determine whether to run the CA IT PAM event/alert output process per query that returns results or per result row.
4. Test the query.
   1. Create the condition that produces the event you want to capture.
   2. Run the query or set of queries manually
   3. Evaluate whether the query results are sufficient for the help desk personnel to complete the needed follow-up.
   4. If not, modify the query or set of queries to provide the required information and retest.

This preparation ensures that when you schedule an alert that runs each such query or set of queries, the resulting event/alert output will contain the data required for resolution.

More information:

Customizing Queries for Action Alerts