Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Model-based Rule - Asset

This example shows a rule based on asset activity. It is used to determine if failed log-on events for an asset should be considered anomalous. Because the rule uses historical data from a corresponding model, it is considered a model-based rule. The corresponding model is named in the value of the Model attribute. For more information about the rule attributes, see the table below the example.

For a look at the model attributes on which the rule is based, see The Corresponding Model below the rule.

The Rule

A-FLSh-Count-A {
RuleName = "Abnormal number of failed logons from asset (L)"
RuleDescription = "Extremely abnormal number of failed logons from asset"
ReasonTemplate = "({quantity|featureValue}) failed logons from asset, expected around {quantity|percentileThresholdValue|histogram}"
AggregateReasonTemplate = ""
RuleType = "asset"
RuleCategory = "Failed Logon and Account Lockout"
ClassifyIf = """DistinctCountBy(event_id,src_host,'failed-logon')>0"""
RuleEventTypes = ["failed-logon"]
Disabled = "FALSE"
Deprecated = "FALSE"
Model = "A-FLSh-Count"
FactFeatureName = "event_id"
Score = "10.0"
ScoreTarget = src_host
RuleLabels {
  mitre = ["T1110"]
  scenario = ["Abnormal Remote Access","Brute Force Attack"]
  }
PercentileThreshold = "0.1"
RuleExpression = """total_events>30 && percentile_count_distance>2"""
DependencyExpression = "NA"
Aggregation {
  DataExpr = """DistinctCountBy(event_id,src_host,'failed-logon')>0"""
  EventExpr = "TRUE"
  ModelExpr = """total_events>30 && percentile_count_distance>2"""
  }
}

Rule Attribute

Description

RuleType

Indicates the type of session the rule should be triggered in. The value asset indicates that the rule deals with asset activity.

RuleCategory

A free text description of the category or classification for the rule. The value Failed Logon and Account Lockout indicates that the rule deals with failed log-on attempts on an asset.

ClassifyIf

An expression that indicates the frequency with which the model-based rule should trigger. For model-based rules, this attribute works with the values in the RuleExpression attribute to further condition when the rule should trigger.

In this example rule, the following expression indicates that the rule should trigger if there is at least one failed-logon event on the src_host, whenever the RuleExpression conditions are met:

DistinctCountBy(event_id,src_host,'failed-logon')>0

RuleEventTypes

An array that indicates which events can trigger the rule. In this example, the rule is triggered when a failed-logon event occurs.

Model

Indicates the model that the rule depends on for trained data. In this example, the value indicates that the rule is based on the A-FLSh-Count model. For a look at the attributes of this model, see The Corresponding Model below.

FactFeatureName

This value is displayed when the featureValue field appears in the ReasonTemplate and the AggregateReasonTemplate. In this example, the feature value is event_id, which is a parsed field. For more information about how these attributes work together, see Rule Attributes.

Score

Indicates how the rule should be scored based on its criticality. In this example, the value is 10.0.

ScoreTarget

For asset-based rules with both a destination and a source host, this attribute indicates where the scoring points should be applied. In this example, the target is the src_host.

RuleLabels

Used for rule tagging to show MITRE ATT&CK and use case coverage. In this example, the rule is tagged for MITRE technique T1110 and for use cases Abnormal Remote Access and Brute Force Attack.

PercentileThreshhold

The percentile below which values are considered anomalous. In this example, the value 0.1 indicates that rule considers events that appear below the 10th percentile to be abnormal.

RuleExpression

Expression that defines under what conditions the rule should trigger. This expression includes the following conditions and the && operator between them means that both conditions must be true in order for the rule to trigger:

  • total_events>30 – This condition indicates that the rule should trigger if the number of failed-logon events at the src_host is greater than 30.

  • percentile_count_distance>2 – This condition indicates the level of abnormality that will trigger the rule.

DependencyExpression

The value NA indicates that the rule is independent of other rules.

Aggregation

This attribute is required for asset-based rules. It includes the following parameters:

  • DataExpr – Specifies the expressions used to trigger the rule.

  • EventExpr – This value is usually TRUE.

  • ModelExpr – Specifies other expressions used in the rule, such as num_observations=0 or ConfidenceFactorAboveOrEqual().

For definitions and examples of other Exabeam rule attributes, see Rule Attributes.

The Corresponding Model

This is the model that the example rule above is based on. It models the number of failed logon events per day experienced by a specific asset. For more information about how the attributes of a model work, see Model Attributes.

A-FLSh-Count {
ModelTemplate = "Count of failed logons from host"
Description = "Models the number of failed logons from this asset"
Category = "Assets"
IconName = ""
ScopeType = "DEVICE"
Scope = """src_host"""
Feature = """DistinctCountBy(event_id,src_host,'failed-logon')"""
FeatureName = "activity"
FeatureType = "quantity"
TrainIf = """DistinctCountBy(event_id,src_host,'failed-logon')>0"""
ModelType = "NUMERICAL_CLUSTERED"
AgingWindow = ""
CutOff = "5"
Alpha = "1"
MaxNumberOfBins = "1000000"
ConvergenceFilter = "confidence_factor>=0.8"
HistogramEventTypes = ["sequence-end"]
SequenceTypes = [asset]
Disabled = "FALSE"
}