Rule Dependency and Chaining
Rules can have relationships with other rules through the use of the DependencyExpression
attribute and expressions like WasRuleFired
.
When DependencyExpression
is used, Rule A can be conditioned to trigger only if rule B has triggered for the same event. Complex sets of rules can be created by using and
, or
, and not
operators to define combinations of rule dependencies.
The WasRuleFired
expression can be used in a RuleExpression
attribute to determine if a specific rule has previously triggered in the session or sequence, and optionally, whether a specific value was seen. Here are some examples of WasRuleFired
conditions:
WasRuleFired('Rule_Z')
– The rule will trigger only if rule_Z has previously triggered.WasRuleFired('Rule_Z', dest_host)
– The rule will trigger only if rule_Z has previously triggered and the value of thedest_host
in the event it triggered on is the same as the value in the current event.
The WasRuleFired
expression can also be used to negate a rule. For example, !WasRuleFired('rule_X')
indicates that a rule should only trigger if rule_X has not triggered. This expression can often be used to ensure that a rule triggers only once per session or sequence.