Metric aggregation rules

Name

Name of the rule. This name is used in generated alerts, and in the rules lists.

Brute force attempt

Index

Data lake index containing the events that the rule will evaluate

customerlog-acme-demobank-cef

Business service

Alerts generated by the rule will be linked to the specified business service. Useful to classify the alerts by different customer organizations units, different SOC services or any other classification criteria

Managed Service Phishing Service

Active

If the rule is activated or not

Check or unchecked

Description

Long description of the rule. This text will be added to the description of the generated alerts

Log description text

Severity

Severity of the alerts generated by this rule

High, critical, medium, low

Confidence

Integer numbre, from 1 to 100, indicating how trustable will be the alerts generated by the rule

80

Query rule

Criteria of the detection rule, expresed as the DSL of the of the platform, described in DSL language

destinationPort IS_NOT_ONE_OF [“21”, “53”, “445”] AND account_type IS “admin”

Query delay

Cause the engine to subtract a time delta from every query, causing the rule to run with a delay. This is useful if the data does not get indexed immediately.

00:08:00

Aggregation time to group alerts

Aggregation time allows grouping alerts during a certain period. The result of the aggregation will be a new alert with a summary. This time must be divisible by 5 minutes.

00:05:00

Impact

Tag describing the effect caused in the customer infrastructure.

Data leakage

Category

Alert category

Malware

Sub-category

Alert subcategory

Ransomware

Analysis info description

Short description of the analysis information shown in the generated alerts raw_event field

Affected endpoints

Metric agg key

Name of the field over which the metric value will be calculated. The underlying type of this field must be supported by the specified aggregation type

destinationPort

Query key

Group metric calculations by this field. For each unique value of the query_key field, the metric will be calculated and evaluated separately against the threshold(s)

destinationAddress

Metric agg type

The type of metric aggregation to perform on the metric_agg_key.

Cardinality

Max threshold

If the calculated metric value is greater than this number, an alert will be triggered. This threshold is exclusive

200

Min threshold

If the calculated metric value is less than this number, an alert will be triggered. This threshold is exclusive.

0

Use run every query size

By default, the metric value is calculated over a buffer_time sized window. If this parameter is true, the rule will use run_every as the calculation window.

Checked or unchecked

Allow buffer time overlap

This setting will only have an effect if use_run_every_query_size is false and buffer_time is greater than run_every.

If true will allow the start of the metric calculation window to overlap the end time of a previous run. By default, the start and end times will not overlap, so if the time elapsed since the last run is less than the metric calculation window size, rule execution will be skipped (to avoid calculations on partial data).

Checked or unchecked

Bucket interval

If present this will divide the metric calculation window into bucket interval sized segments. The metric value will be calculated and evaluated against the threshold(s) for each segment. If bucket interval is specified, then buffer time must be a multiple of bucket interval. (Or run every if use run every query size is true).

00:01:00

Sync bucket interval

This only has an effect if bucket interval is present. If true it will sync the start and end times of the metric calculation window to the keys (timestamps). By default, aggregations are aligned with the time the engine runs, (This both avoid calculations on partial data, and ensures the very latest documents are included)

Checked or unchecked