Frequency rules
Frequency rules will generate an alert for every event that matches the defined detection criteria. Therefore, it is crucial to use them carefully, as they can easily overwhelm the SOC with a high volume of alerts—whether individual or grouped.
The following are the parameters that configure a Frequency Rule:
Name
Name of the rule. This name is used in generated alerts, and in the rules lists.
Brute force attempt
Index
Data lake index containing the events that the rule will evaluate
customerlog-acme-demobank-cef
Business service
Alerts generated by the rule will be linked to the specified business service. Useful to classify the alerts by different customer organizations units, different SOC services or any other classification criteria
Managed Service Phishing Service
Active
If the rule is activated or not
Check or unchecked
Description
Long description of the rule. This text will be added to the description of the generated alerts
Log description text
Severity
Severity of the alerts generated by this rule
High, critical, medium, low
Confidence
Integer numbre, from 1 to 100, indicating how trustable will be the alerts generated by the rule
80
Query rule
Criteria of the detection rule, expresed as the DSL of the of the platform, described in DSL language
destinationPort IS_NOT_ONE_OF [“21”, “53”, “445”] AND account_type IS “admin”
Query delay
Cause the engine to subtract a time delta from every query, causing the rule to run with a delay. This is useful if the data does not get indexed immediately.
00:08:00
Aggregation time to group alerts
Aggregation time allows grouping alerts during a certain period. The result of the aggregation will be a new alert with a summary. This time must be divisible by 5 minutes.
00:05:00
Impact
Tag describing the effect caused in the customer infrastructure.
Data leakage
Category
Alert category
Malware
Sub-category
Alert subcategory
Ransomware
Timeframe
Matches of the rule with be group in the specified timeframe. This allows to generate single grouped alerts when occurs many matches of the rules, in order to avoid alerts saturation in the SOC.
Format is: H:mm:ss
Minimum required timeframe is 0:00:01, so if alerts grouping is not required for a rule, 0:00:01 has to be specified.
0:05:00
Number of events
Number of matches required in the timeframe specified to generate a single alert.
100
Try rule
This button executes the configured criteria against the specified index, and returns the number of events that matches the query. Usefull to test if the criteria is well defined before saving the rule
Last updated