Working with the Manage Alert Sidebar

The Manage Alert sidebar allows you to create a rule that is matched against all subsequent events detected by NSX Network Detection and Response. When an event matches a rule, the rule action is applied.

Accessing the sidebar

You can access the Manage Alert sidebar in one of the following ways.

From any tab on the Host profile page, click the Host actions button then select Manage alert from the pull-down menu. The sidebar panel is then prepopulated with relevant filters. You can edit these entries.
Click the Threats tab on the Host profile page. On a threat card, click Next steps and select Manage alert from the pull-down menu.
From the Incident details view, select a specific incident and click Manage Alert.
From the Alert Management page, click in the Custom Rules widget,

The Manage alert sidebar consists of three separate panels: FILTERS, ACTIONS, and REVIEW RULE. Each panel is displayed depending on which step of the Create Rule or Edit rule you are currently in.

You can close the Manage alert sidebar by clicking X in the upper-right corner. If you made changes, you must confirm the closing of the sidebar.

To create or edit a rule, you must perform three steps in the Manage Alert sidebar.

Step 1: Create or Edit Filters

The Filters tab has two edit modes that you can use when working with filters: Basic (the default) and Advanced. You can create or edit filters in either mode.

To toggle the Create/Edit mode to Advanced mode, click the Advanced tab at the top of the sidebar.
To toggle back to the Basic mode, click the Basic tab (but see the Important note).

To create a filter in Basic mode, perform the following steps.

Click Add a new filter+.
Select a filter from the filter entries drop-down menu.
The filters are grouped into four categories: Source, URL, Detection, and File. See the Attributes entries section in Alert Rule Syntax for more details about these categories.
Depending on the rule type selected, set its value. This may involve clicking a toggle, entering a value, selecting an item from a pull-down menu, or others.
To edit the filters, scroll through the list, select a filter, and modify the appropriate values. Delete an unwanted filter by clicking. You can also select more filters.

To create filters in Advanced mode, fill in the Matching expression text box, and add or edit a filter using the alert rules syntax. For example,

(network_event.relevant_host_ip: 10.154.115.91 OR network_event.relevant_host_ip: 10.1.1.1-10.255.255.255) AND NOT 
(network_event.server_port: 53 OR network_event.server_port: 65535) OR (network_event.other_host_hostname: block.lastline.com) AND 
(network_event.threat: Lastline blocking test)

Important: Normally you can toggle between the two sidebar edit modes, however if the matching expression filter you created or edited is not supported by the Basic mode, the Basic link is disabled and the FILTERS tab defaults to the Advanced editor.

Step 2: Define the action

After you define or edit a filter, to define the rule actions, click Define Actions in the bottom-right corner. The Actions panel has two edit modes: Basic actions (the default) and Advanced actions:

Click the Advanced actions tab at the top of the sidebar to toggle the create/edit mode to Advanced mode.
Click the Basic actions link to toggle back to the Basic mode.

There are two toggles on the Actions panel in Basic actions mode: Manage alert and Custom impact (1-100).

Suppress action

Click the Manage alert toggle.
Select Demote to INFO event (the default) or Delete from the drop-down menu.
The Demote action converts subsequent network events that match the rule into INFO events. Note that you must select INFO with the Event outcome filter.
The Delete action deletes the matching events from the User Portal.

Warning: Any event that is deleted can no longer be accessed.

Custom impact

Click the Custom impact (1-100) toggle.
Click the radio buttons to select Defined range or Single value. If you selected Defined range, enter minimum and maximum values in the respective textboxes. If you selected Single value, enter the value in the textbox.

You can also define the actions using the Advanced actions panel.

Click the Advanced actions tab.
In the textbox, add or edit an action using the alert rules syntax.
For example:
```
demote:outcome=TEST
```
or
```
impact:min_impact=12,impact:max_impact=22
```

After you have selected the action, click Review Rule to go to the next step.

To correct the selected filters, click Filters to go back to the previous Filters panel.

Step 3: Review Rule

The Review Rule panel allows you to verify your alert rule.

In the Rule name text box, enter a name.
If you are editing an existing rule, you cannot change the name.
(Optional) Use the drop-down menu to select a license.
This drop-down menu is disabled if you launched the Manage Alert sidebar from the Alert Management page or if you are editing an existing rule.
In the Rule summary section, verify the selected filters that are listed.
If the Filters tab was left in Basic mode, the summary consists of a list of the selected filters. Each filter is displayed with its name and values. For example:
```
Rule summary
SERVER IP
12.6.6.6/32
RELEVANT HOST SILENCED
1
THREAT(S)
Torn rat
THREAT CLASS
Malicious file execution
```
If the Filters tab was left in Advanced mode, the summary displays the matching expression. For example:
```
Rule summary
(network_event.server_ip: 12.6.6.6/32) AND
(network_event.relevant_host_whitelisted: 1)
AND (network_event.threat: Torn RAT) AND
(network_event.threat_class: Malicious File
Execution)
```
If the Actions tab was left in Basic actions mode, the summary displays the action. For example:
```
SUPPRESSION ALERT
Demote to INFO event
```
If the Actions tab was left in Advanced actions mode, the summary displays the action. For example:
```
ACTION
impact:min_impact=12,impact:max_impact=22
```
(Optional) To correct the selected rule types, click Edit rule to go back to the previous page.
When you are done, click Create Rule to complete the rule or click Update Rule if you are editing an existing rule.