Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Model-based Rule - User

This example shows a rule based on user behavior. It is used to detect first-time security alerts for a user. Because the rule uses historical data from a corresponding model, it is considered a model-based rule. The corresponding model is named in the value of the Model attribute. For more information about the rule attributes, see the table below the example.

For a look at the model attributes on which the rule is based, see The Corresponding Model below the rule.

The Rule

SA-UA-F {
  RuleName = "First security alert name for user"
  RuleDescription = "This is the first occurrence of this security alert name for the user"
  ReasonTemplate = "First security alert with name {default|featureValue|histogram} for user"
  AggregateReasonTemplate = "First security alert name for user: {default|featureValue|histogram}"
  RuleType = "session"
  RuleCategory = "Security Alert"
  ClassifyIf = """count(alert_name,'security-alert')=1"""
  RuleEventTypes = [  "security-alert"  ]
  Disabled = "FALSE"
  Deprecated = "FALSE"
  Model = "SA-UA"
  FactFeatureName = "alert_name"
  Score = "10.0"
  RuleLabels {
    mitre = ["T1078"]
    scenario = ["3rd Party Security Alerts"]
    }
  PercentileThreshold = "0.1"
  RuleExpression = """num_observations=0"""
  DependencyExpression = "NA"
}

Rule Attribute

Description

RuleType

Indicates the type of session the rule should be triggered in. The value session indicates that the rule is associated with a session.

RuleCategory

A free text description of the category or classification for the rule. The value Security Alert indicates that the rule deals with security alert activity.

ClassifyIf

An expression that indicates the frequency with which the model-based rule should trigger. For model-based rules, this attribute works with the values in the RuleExpression attribute to further condition when the rule should trigger.

In this example rule, the following expression indicates that the rule should trigger once per alert_name in security_alert events whenever the RuleExpression conditions are met:

count(alert_name,'security-alert')=1

RuleEventTypes

An array that indicates which events can trigger the rule. In this example, the rule is triggered when a security-alert event occurs.

Model

Indicates the model that the rule depends on for trained data. In this example, the value indicates that the rule is based on the SA-UA model. For a look at the attributes of this model, see The Corresponding Model below.

FactFeatureName

This value is displayed when the featureValue field appears in the ReasonTemplate and the AggregateReasonTemplate. In this example, the feature value is alert_name, which is a parsed field. For more information about how these attributes work together, see Rule Attributes.

Score

Indicates how the rule should be scored based on its criticality. In this example, the value is 10.0.

RuleLabels

Used for rule tagging to show MITRE ATT&CK and use case coverage. In this example, the rule is tagged for MITRE technique T1078 and use case 3rd Party Security Alerts.

PercentileThreshhold

The percentile below which values are considered anomalous. In this example, the value 0.1 indicates that rule considers events that appear below the 10th percentile to be abnormal.

RuleExpression

Expression that defines under what conditions the rule should trigger. In this example, the following expression indicates that the rule should trigger only if the current value has not been observed before (in other words, only for a first occurrence of each alert):

num_observations=0

DependencyExpression

The value NA indicates that the rule is independent of other rules.

For definitions and examples of other Exabeam rule attributes, see Rule Attributes.

The Corresponding Model

This is the model that the example rule above is based on. It models security alert names for a user. For more information about how the attributes of a model work, see Model Attributes.

SA-UA {
  ModelTemplate = "Security alert names for user"
  Description = "Models security alert names for the user"
  Category = "Other"
  IconName = ""
  ScopeType = "USER"
  Scope = """user"""
  Feature = """alert_name"""
  FeatureName = "alert_name"
  FeatureType = "alert_name"
  TrainIf = """count(alert_name,'security-alert')=1"""
  ModelType = "CATEGORICAL"
  AgingWindow = "32"
  CutOff = "5"
  Alpha = "0.8"
  MaxNumberOfBins = "1000000"
  ConvergenceFilter = "confidence_factor>=0.8"
  HistogramEventTypes = [  "security-alert"  ]
  Disabled = "FALSE"
}