The basic components of an expert rule are the same as for non-expert rule: an operation that is being monitored, some combination of other conditions that must be met to match the rule, and an action to take when the rule is triggered. An expert rule definition requires at least one operation and at least one action.
When multiple operations are defined in a rule, the rule triggers if any of them is true, as long as the action defined in the rule is possible for that operation.
Expert Rule Definition |
---|
If all other rule criteria are met (source process, target file/path/process, user, policies) … |
… and if any of the Operations defined in the rule are attempted … |
… then take the Actions defined in the rule (if available for the operation). |