Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Create a Fact-Based Rule

Create a fact-based rule in Advanced Analytics settings.

  1. From the lower-left side of the page, click SETTINGSA grey gear icon > Analytics, and then navigate to Admin Operations > Exabeam Rules.

  2. Click Create Rule.

  3. Enter specific information:

    • Use Case & Scenario – Click SELECT SCENARIOS, then select the use cases and scenarios the rule best detects.

    • Rule Category – From the list, select which category the rule falls under.

    • Name – Name the rule. When the rule triggers, the name is displayed in Advanced Analytics. It's best to be descriptive and indicate the nature of the risky behavior; for example, Data Exfiltration by a Flight Risk User.

    • Description – Describe the rule and provide additional details that may help your team investigate. To help your team better interpret what happens during a user session, describe why you created the rule and what it detects.

    • What type of events should the rule evaluate? – Select the type of events the rule evaluates. For example, if the rule detects user logins, select all event types that reflect those login events.

    • Risk Score – Enter the risk score added to the session when the rule triggers.

  4. Create a Boolean expression the Analytics Engine uses to determine if the rule triggers. Your rule triggers only if the expression is true.

    1. Under RULE EXPRESSION, click CREATE EXPRESSION.

    2. Under Select Field, select the event field the Boolean expression evaluates.

    3. Under Select Property, select the property of the event field the Boolean expression evaluates. This differs based on event field.

    4. Under Select Function, select an operator.

    5. Under Select Category, select whether you're evaluating the event field property against another Field or a Value.

    6. If you selected Field, under Select Field, select the event field the rule evaluates the first event field against. Under Select Property, select the property of the event field.

    7. If you selected Value, in Enter Value, enter a string value.

    8. To add additional conditions, select a boolean operator: AND or OR.

    9. To save the boolean expression, click DONE.

  5. (Optional) Define what other rules must or must not trigger for your rule to trigger:

    1. Under DEPENDENCY, click CREATE DEPENDENCY.

      Important

      Default rules, including both model- and fact-based rules, may be deprecated and consequently disabled in future software updates. If you create a custom rule that includes a dependency on a default rule that becomes deprecated, your rule will be automatically disabled.

      This also applies to dependencies on custom rules. If you create a rule that includes a dependency on a custom rule that becomes disabled, your rule will be automatically disabled.

    2. To define a rule that must not trigger for your to rule trigger, toggle NOT to the right aa-settings-analytics-exabeamrules-create-dependency-right.png. To define a rule that must trigger for your rule to trigger, toggle NOT to the left aa-settings-analytics-exabeamrules-create-dependency-left.png.

    3. Under Search for other rules., start typing, then select a rule from the list.

    4. To add additional rules, select a boolean operator: AND or OR.

    5. To save the dependency expression, click DONE.

  6. Under How many times should the rule be triggered?, select how frequently the rule triggers: Once per session, Always, or Once per value.

  7. Save the rule:

    • To save your progress without applying the changes, click SAVE. Your system validates the rule logic.

    • To save the rule and apply the changes, click SAVE & RELOAD ALL. Your system validates the rule logic and reloads all rules.

Example 2. An Example of Creating a Fact Based Rule

You're creating a fact based rule that adds 15 to a user session's risk score every time a user your Human Resources team considers a flight risk starts a session. You have a context file titled Flight Risk containing the IDs of those users.

  1. Enter specific information:

    • Use Case & Scenario – Click SELECT SCENARIOS, navigate to Malicious Insiders > Abnormal Authentication & Access, then select Abnormal User Activity.

    • Rule Category – Select Asset Logon and Access

    • Name – Enter Flight Risks.

    • Description – Enter Users that HR considers flight risks.

    • What type of events should the rule evaluate? – Select remote-access, remote-logon, local-logon, kerberos-logon, ntlm-logon, account-switch, app-logon, app-activity, and privileged-object-access.

    • Risk Score – Enter 15.

  2. Create a boolean expression:

    1. Under Select Field, select User.

    2. Under Select Property, select User Label.

    3. Under Select Function, select Equals.

    4. Under Select Category, select Value.

    5. In Enter Value, enter Flight Risk. This is the label in the Flight context table.

    6. Click DONE.

  3. Under How many times should the rule be triggered?, select Always.

  4. Click SAVE & RELOAD.