IM InfoSphere Identity Insight, Version 8.0

Guidelines for configuring event rule results

Event rules define how to process events and what situations generate event alerts. Event rules (called Situation Types in the Eclipse-basedtm CEP Rule Author tool) are included in the cep.xml event rules file that Event Manager and the CEP engine use to process incoming event data. The complex event rules that you define are unique to your organization.

Before you begin defining event rules, keep the following considerations in mind, so that the rule works with Event Manager:

Required situation attributes for each event business rule

To return event data from the complex event processor to the entity database, you must manually add the required situation attributes to each event business rule that you create. These attributes are not part of the starting cep.xml event rules file, so importing that starting file does not automatically create event business rules (situations) or add these attributes to any new or existing rules.

These situation attributes map event data directly to the Event Manager GEM_EVENT table (and match the UMF from each incoming event record). Without these required attributes, none of the data processed by the CEP engine is returned to Event Manager through the pipeline.
Table 1. Required situation attributes for complex event business rules
Attribute name Attribute type Attribute expression Attribute description
EVENT_SIT_STATUS string "PENDING"

Indicates the event alert status for the event alert.

In the Visualizer, the event alert status is displayed as part of the Alert Summary. All newly generated alerts typically receive the pending status, indicating that a Visualizer user needs to analyze and disposition that alert.

Keep in mind that an event alert status can be anything that makes sense for your organization and is configured as an event status in the Configuration Console.

If you do not want the event to display in the Visualizer, use the "CLOSED" event alert status.

REASON_DESC string "Description_of_event_rule_or_alert"

Describes the event rule that triggered the event alert. Make this description as meaningful as possible for your analysts.

For example, if the event rule generates an alert when an entity transacts over $1500 in a 24-hour period, you might enter "SumOver1500" as the REASON_DESC.

ALERT_GROUP string "Visualizer_user_group"

Indicates which Visualizer user group to assign event alerts generated from this event rule.

Typically, this value is "DEFAULT", but you can enter any Visualizer user group configured in the Configuration Console.

Displaying the detail of event alerts

Typically, event alerts are triggered from more than one complex event. You can display event alerts in the Visualizer or a client application, but by default, the details of the events that made up that alert are not included.

If you want to include the details of the events that make up the event alert, you must include the following situation attribute:
Table 2. Settings needed to create the EVENTS situation attribute in an event rule
Name Type Expression Dimension (Show Advanced button)
EVENTS integer Event.EventID

[] (to indicate that the EventID is an array]

You must edit the Situation Attribute and click the Show Advanced button to see and define the setting for this column.

Best practices

If you display your event alerts in the Visualizer, keep the REASON_DESC situation attribute a simple string of text, rather than adding values from the event to the message. The Visualizer groups common alerts into one alert summary that includes a count of the number of alerts included in the summary. Analysts click on an alert summary to disposition all the alerts contained in that summary.

If you define values from the event in the REASON_DESC, each event alert displays as a separate alert summary with a count of 1, which means that your analysts see every event alert in both the alert summary and the alert detail areas of the Alert Summary window.



Feedback

Last updated: 2011