Rules in Dexda apply filter logic and execute configured actions for matched records. Using rules you can automate workflows across alerts and machine learning-created insights, and build manual exception handling to identify and escalate issues.
This article describes the concept of rules in Dexda, and their relation to actions and action groups. For information on how to work with rules, see Creating Rules.
Rules trigger the execution of an associated Action Group. This happens either interactively from the user interface, or automatically through processing of ingested events, ML and integration records. For example, events that come into Dexda automatically trigger a rule to process events into deduplicated alerts. There are also interactive rules that expose actions in the user interface to for example, create incidents and close alerts. A rule is always associated with an Action Group. For more information, see About Actions and Action Groups.
A Rule has:
- A record type inherited from the associated Action Group.
- A rule type (automatic or interactive).
- A mandatory filter.
- An Action Group to run.
An Action Group has:
- A record type, for example an event.
- A sequence of actions.
To create a process workflow, you start by creating an Action Group and define the included step and actions to achieve the desired goal. For more information, see Creating Action Groups. Then you create the rule by selecting the Action Group, and adding filters defining when the rule should be applied to run the associated actions.
Types of Rules
Dexda includes the rule types described in the following.
For this type of rule, associated action groups are conditionally triggered when processing the following record types:
- event—event records ingested through Dexda integrations.
- ml—machine learning observations from the processing of alerts, for example a correlation.
- sncIncident—incident records received from the Dexda ServiceNow integration (LMDX).
- sncCmdb—cmdb records received from the Dexda ServiceNow integration (LMDX).
Automatic rules trigger actions that does not require any user interaction. For example, automatically creating a new alert when a new event is received. Or, updating an existing open alert record when a duplicate event is received.
Automatic rules run their associated Action Group in response to processing matched records. Automatic rules and their associated Action Groups can be configured to automate event management end-to-end.
For this type of rule, associated action groups are manually conditionally triggered for the following record types:
Interactive rules expose actions in a dashboard when filter criteria are met. For example, exposing an Action to a user to “Assign to me”, when the state of the selected alert is “New”.
You will only see an action (Action Group) in the dashboard when the rule’s condition is met. You can enable different Action Groups to be conditionally displayed in the dashboard based on data. For example to only show an option to “Close Alert” if the alert is not already in a closed state.
Grouping and Domain Separation
Dexda supports multi-tenant processing and domain separation. This allows the logical separation of instance into separate domains where a single instance can support multiple organizations. Grouping of aggregation rules is always done in context of a tenant regardless of which fields as used for aggregation. You can also create an aggregation key to group incoming alerts by a selection of any field that is available for an alert. For more information, see Grouping by Tenant and Domain Separation.