Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Create Rules

Rules are meant to define some logical activity (for examples, a vpn login) you want to be alerted on. Any event that successfully goes into a timeline can trigger a rule and add points to a timeline and elevate a user to notable status. So, rules indicate the flagging of bad, suspicious, and benign behavior.

Key Rule Ingredients:

  • RuleID - The string that is the 'name' of the HOCON block in the rule configuration file. If another rule seen later (below) in the rules.conf file has the same key, the first rule configuration will be thrown out.

  • ClassifyIf - Supports the analytics engine expressions that are usable in the RuleExpression, meaning this is an additional place to place rule expression logic, though generally the logic put in this attribute usually identifies restrictions and scoping of when the rule should trigger. Many rules use this field to place a session/sequence "count" analytics engine expression that limits the rule from triggering more than once for a specific value.

    Note

    For fact based rules, set ClassifyIf to "TRUE".

  • RuleEventTypes - Events of the event type expressed in this field will be evaluated against the rule. A rule with event type web-activity-denied will never be evaluated against a network-connection-denied event.

  • RuleExpression - Rule logic. When should this rule 'fire'. For example, RuleExpression =""" process_name="malicious.exe" """.

  • RuleType - session, asset, endpoint, web, file, database, external or account-lockout. All events in Advanced Analytics fall under one of these seven event buckets. For example, process-created events are only put into the 'endpoint' sequence. So, even if the RuleEventType contains process-created, if RuleType = 'session', this rule will never fire for process-created events.

When a rule is found to not trigger when it should, it is normally one of these five fields that are edited to fix the rule.

When testing new rules, take the events you want to trigger against, and ensure that the event type is included in RuleEvent types, and that the event type is included in the ruleType (session, asset, endpoint sequence, etc.).