To access this dialog, while investigating a service in the Investigate > Events view, add a query on the query search bar > 
IMPORTANT: The Create Alert option will be enabled for users only if the Decoder services are managed by Policy-based Centralized Content Management and the user has the investigate-server.alert.manage permission enabled.
Note: An administrator must enable investigate-server.alert.manage permission and source-server.centralpolicy.manage permission on the source server and rules.manage permission on the core devices to allow analysts to create the application rules.
For more information, see the "Role Permissions" topic in the System Security and User Management Guide.
What do you want to do?
| User Role | I want to ... | Show me how |
|---|---|---|
|
Administrator/ Analyst |
Create Application Rule |
Related Topics
- Use Query Profiles to Encapsulate Common Areas for Investigation
- Create a Future Alert from Events View
Quick Look - Create Future Alert Dialog
This is an example of the Create Future Alert Dialog.
The following table describes the fields in the Create Future Alert view.
| Feature | Description |
|---|---|
| Alert Name | Specify a descriptive Name to identify the alert or leave the default name automatically populated using Query Based App Rule format. |
| Select Policy | Displays a drop-down list of available policies for selection. |
| Select Severity |
Displays the level of severity for the alert to be generated. The options are listed below:
Note: By default, Low is selected as severity. |
| MITRE ATT&CK Tactics |
Displays the type of tactic associated with the alert. For example: Credential Access. The tactic Credential Access tries to steal account names and passwords. |
| MITRE ATT&CK Techniques |
Displays the type of techniques and sub-techniques associated with the tactics. |
| Create | Creates the Application rule and closes the dialog. A message confirms that the application rule was created successfully. |
| Cancel | Closes the dialog without applying changes. |
