Open topic with navigation

Using Rules to Populate an Active List

Purpose: To demonstrate how to populate active lists with the rule action. The example uses a rule that captures VPN login events and adds data to a list.

See Rule Actions Reference for more information on the Active List rule action.

The high level process involves:

  1. Creating the active list that forms the table to store and display the data. The active list shows the number of logins by user name.

  2. Creating the rule to capture VPN login events and send matching events to the list. The rules populate and update the list.

Example Active List

Purpose: To provide the table that stores login events captured by the rule.

Create the active list:

  1. Create a fields-based active list named VPN Events.
  2. Add fields named User Name and Category, both of type String.
  3. Set User Name as the Key field:

Example Rule to Populate the Active List

Purpose: To create a rule that captures VPN login events and populate the VPN Events active list. Values found in Event Name and Category Device Group fields will be used indicators of such events. A matching event triggers the rule and populates the list as follows:

Populate this field in the Active List

With the value from this field in incoming events

User Name

Target User Name

Category

Category Device Group

Create the rule:

  1. Create a standard rule, also named VPN Events.

  2. Make your list case insensitive.

Set rule conditions:

Set Conditions to capture events when the Event Name contains Login and Category Device Group contains VPN. To capture event names from various sources that might be formatted differently (for example, in all upper case, all lower case, or initial capitalization), uncheck the Case-Sensitive () option next to the Event Name field. This shows up in the Conditions Summary tab as follows:

Tip: More fine-grained conditions logic (as used in this example) requires more processing and can have a performance impact. For example, using “<SomeField> Contains <SomeString>” for a field lookup requires more processing than writing a field lookup like “<SomeField> = <SomeString>”.

Set rule aggregation:

  1. On the Aggregation tab, select the fields for aggregation only if they are identical.

  2. In the Add Field dialog, set Aggregation for event1 on Category Device Group and Device Custom String.

Set rule actions:

  1. Activate the rule Actions trigger On Every Event. De-activate the other triggers.

  2. Select Add to Active List.

  3. Add values for User Name and Category to the active list. Map the fields as follows:

    • User Name: Device Custom String1
    • Category: Category Device Group

  4. Click OK to save the rule.

Test the rule:

Drag-and-drop the rules into the Real-time Rules folder to deploy them. You are prompted to move, copy, or link the rule. Linking is often most efficient.

More details are in Deploying Real-time Rules.

When the VPN Events rule is triggered, user names are added to the VPN Events active list:

A logical next step in this example scenario would be to create another rule that checks if certain user names are showing up in the active list, and then takes some action (like sending an e-mail or adding those names to a “suspicious users” list, if appropriate).