1 of 1 people found this helpful
Rules and Filters are largely independent other than they use the same logic. So you don't need a filter before a rule or vice versa.
Filters are used to sort the data in real time, rules are used to perform actions on your behalf.
Filters ARE necessary for creating most widgets and I would likely use it like that in your case.
You will want to create a filter and make sure it's returning the types of data you're expecting prior to creating the widget. As far as filtering for DNS requests from outside of your organization you may have to do it with a broad correlation such as where the sourcemachine is not *10.* for example. The more specific you can get the better, but LEM doesn't really do IP ranges or anything. If you need help with this part we would need more information about the environment or Support might be able to help you.
Once you get to the widget portion, most of the settings are going to relate to how you want to display the data, but you'll select the filter you want to use for the data, you can find out more here:
If you needed to be alerted when something like this happens in your environment, then you would want to create a rule for it as well so it could notify you or take other action immediately on your behalf.