Generic Events and Data sources (properties)

This feature only works if you have the XProtect event server installed.

Generic event (properties)

Component

Requirement

Name

Unique name for the generic event. Name must be unique among all types of events, such as user defined events, analytics events, and so on.

Enabled

Generic events are by default enabled. Clear the check box to disable the event.

Expression

Expression that the system should look out for when analyzing data packages. You can use the following operators:

  • ( ): Used to ensure that related terms are processed together as a logical unit. They can be used to force a certain processing order in the analysis

Example: The search criteria (User001 OR Door053) AND Sunday first processes the two terms inside the parenthesis, then combines the result with the last part of the string. So, the system first looks for any packages containing either of the terms User001 or Door053, then takes the results and run through them in order to see which packages also contain the term Sunday.

  • AND: With an AND operator, you specify that the terms on both sides of the AND operator must be present

Example: The search criteria User001 AND Door053 AND Sunday returns a result only if the terms User001, Door053 and Sunday are all included in your expression. It is not enough for only one or two of the terms to be present. The more terms you combine with AND, the fewer results you retrieve.

  • OR: With an OR operator, you specify that either one or another term must be present

Example: The search criteria "User001" OR "Door053" OR "Sunday" returns any results containing either User001, Door053 or Sunday. The more terms you combine with OR, the more results you retrieve.

Expression type

Indicates how particular the system should be when analyzing received data packages. The options are the following:

  • Search: In order for the event to occur, the received data package must contain the text specified in the Expression field, but may also have more content

    Example: If you have specified that the received package should contain the terms User001 and Door053, the event is triggered if the received package contains the terms User001 and Door053 and Sunday since your two required terms are contained in the received package
  • Match: In order for the event to occur, the received data package must contain exactly the text specified in the Expression field, and nothing else
  • Regular expression: In order for the event to occur, the text specified in the Expression field must identify specific patterns in the received data packages

If you switch from Search or Match to Regular expression, the text in the Expression field is automatically translated to a regular expression.

Priority

The priority must be specified as a number between 0 (highest priority) and 999999 (lowest priority).

The same data package may be analyzed for different events. The ability to assign a priority to each event lets you manage which event should be triggered if a received package matches the criteria for several events.

When the system receives a TCP and/or UDP package, analysis of the packet starts with analysis for the event with the highest priority. This way, when a package matches the criteria for several events, only the event with the highest priority is triggered. If a package matches the criteria for several events with an identical priority, for example two events with a priority of 999, all events with this priority is triggered.

Check if expression matches event string

An event string to be tested against the expression entered in the Expression field.