Required Model/Rule Field
To track how often a specific activity has occurred, the count field values pairs can be tracked. This information can also be used to determine whether different field values should be stored in a single field value.
Enrichers often include a concat logical expression to put two field values together.
In the example below, a target_user field is created that either begins with root – if target_user_id = '0' – or begins with the actual target_user_id field if the value is not equal to 0.
unix-target-id {
EventTypes =
['account-deleted','account-password-change','account-password-reset']
Condition = """!exists(target_user) && exists(target_user_id) && exists(dest_host) && vendor='Unix'"""
Map = [
{
Field = "target_user"
Value = "ReturnIf(target_user_id = '0', concat('root (', dest_host, ')'), concat(target_user_id, ' (', dest_host, ')'))"
}
]
}netflow-scanhost {
EventTypes = ['netflow-connection']
Condition = "exists(src_host)"
Map = [
{
Field = "src_host_time"
Value = """concat(src_host, '-', take(time,9))"""
}
]
}A rule can use the following syntax to track whether a host (src_host) reached out to another host (dest_host) 20 times within a second. This expression works because the time value is concatenated to the src_host value. Because src_host will not change, then the time is reliably the same for the different events.
"""DistinctCountByIf(dest_host, src_host_time, src_locality = 'internal', 'netflow-connection') = 20"""