To access this dialog, while investigating a service in the Investigate > Events view, add a query on the query search bar > three_dots.png > Create Future Alert from the toolbar.

IMPORTANT: The Create Alert option will be enabled for users only if the Decoder services are managed by Policy-based Centralized Content Management and the user has the investigate-server.alert.manage permission enabled.

Note: An administrator must enable investigate-server.alert.manage permission and source-server.centralpolicy.manage permission on the source server and rules.manage permission on the core devices to allow analysts to create the application rules.
For more information, see the "Role Permissions" topic in the System Security and User Management Guide.

What do you want to do?

User Role I want to ... Show me how

Administrator/ Analyst

Create Application Rule

Create a Future Alert from Events View

Related Topics

Quick Look - Create Future Alert Dialog

This is an example of the Create Future Alert Dialog.


The following table describes the fields in the Create Future Alert view.

Feature Description
Alert Name Specify a descriptive Name to identify the alert or leave the default name automatically populated using Query Based App Rule format.
Select Policy Displays a drop-down list of available policies for selection.
Select Severity

Displays the level of severity for the alert to be generated. The options are listed below:

  • Low

  • Medium

  • High

  • Critical

Note: By default, Low is selected as severity.


Displays the type of tactic associated with the alert.

For example: Credential Access.

The tactic Credential Access tries to steal account names and passwords.

MITRE ATT&CK Techniques

Displays the type of techniques and sub-techniques associated with the tactics.

Create Creates the Application rule and closes the dialog. A message confirms that the application rule was created successfully.
Cancel Closes the dialog without applying changes.