Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Fact-based Rules

Fact-based rules can be focused either on user behavior or on asset activity. In the sections below, each example includes a fact-based rule, one based on user actions and the other on asset activity.

The user-based example describes a simple rule commonly seen in traditional SIEMs. It specifies that for a parsed field x in an event, trigger the rule if x = some_string.

The asset-based example describes a more powerful rule using the DistinctCountBy expressions to check for occurrences of three types of alerts on a specific asset. The DistinctCountBy on the source_host field will return the number of each type of alert observed in a session.

Fact-based Rule - User

This example shows a rule based on user behavior. It is used to detect suspicious activity on .pst or .ost files. Because the rule focuses only on the files, and not on any historical model data, it is considered a fact-based rule. The fact-based nature of the rule is also clear from the value of the Model attribute. For more information about the rule attributes, see the table below the example.

FA-Outlook-pst { 
            RuleName = "A file ends with either pst or ost" 
            RuleDescription = "A file copied ends with either pst or ost" 
            ReasonTemplate = "PST/OST file copied" 
            AggregateReasonTemplate = "PST/OST file copied" 
            RuleType = "file" 
            RuleCategory = "File Activity" 
            ClassifyIf = """TRUE""" 
            RuleEventTypes = [ "file-write"  ] 
            Disabled = "FALSE" 
            Model = "FACT" 
            FactFeatureName = "src_file_name" 
            Score = "20.0" 
            RuleLabels { 
              mitre = ["T1114"] 
              } 
            PercentileThreshold = "0.1" 
            RuleExpression = """sequenceCount(src_file_name,'file-write')=1 && (endsWith(toLower(src_file_name), '.pst') || endsWith(toLower(src_file_name), '.ost'))""" 
            DependencyExpression = "FA-Outlook" }

Rule Attribute

Description

RuleType

Indicates the type of session the rules should be triggered in. The value file indicates that the rule deals with file activity.

RuleCategory

A free text description of the use case for the rule. The value File Activity indicates that the rule deals with file activity.

ClassifyIf

An expressions that indicates when the rule should trigger. The value TRUE means that all the conditions in the RuleExpression attribute must be true in order for the rule to trigger.

RuleEventTypes

An array that indicates which events can trigger the rule. In this example, the rule is triggered when a file-write activity occurs involving a .pst or .ost file.

FactFeatureName

This value will be displayed when the featureValue field appears in the ReasonTemplate and the AggregateReasonTemplate. In this example, the feature value is src_file_name, which is a parsed field. For more information about how these attributes work together, see Rule Attributes.

Score

Indicates how the rule should be scored based on its criticality. In this example, the value is 20.0.

RuleLabels

Used for rule tagging. In this example it indicates that the rule is tagged for MITRE technique T1114.

PercentileThreshhold

The percentile below which values are considered anomalous. In this example, the value 0.1 indicates that rule considers events that appear below the 10th percentile to be abnormal.

RuleExpression

Expression that defines under what conditions the rule should trigger. This expression includes the following two conditions and the && operator between them means that both conditions must be true in order for the rule to trigger:

  • sequenceCount(src_file_name,'file-write')=1 – This condition ensures that the rule triggers only for different values in the src_file_name field during file-write events.

  • (endsWith(toLower(src_file_name), '.pst') || endsWith(toLower(src_file_name), '.ost')) – This condition ensures that the rule triggers only when the extension of the src_file_name is .pst or .ost.

DependencyExpression

Expression that indicates that triggering the rule is dependent on whether or not another rule for the same event has triggered. In this example, the rule will only trigger if rule FA-Outlook has already triggered.

Fact-based Rule - Asset

This example shows a rule based on asset activity. It is used to detect three types of security alerts on a specific source host. Because the rule focuses only on the alerts, and not on any historical model data, it is considered a fact-based rule. The fact-based nature of the rule is also clear from the value of the Model attribute. For more information about the rule attributes, see the table below the example.

A-ALERT-DISTINCT-NAMES {
  RuleName = "Various security alerts on asset"
  RuleDescription = "At least three distinct security alerts were reported for the asset. This raises the probability that the asset is compromised."
  ReasonTemplate = "Third distinct security alert on asset"
  AggregateReasonTemplate = ""
  RuleType = "asset"
  RuleCategory = "Security Alert"
  ClassifyIf = """TRUE"""
  RuleEventTypes = [ "security-alert"  ]
  Disabled = "FALSE"
  Model = "FACT"
  FactFeatureName = """src_host"""
  Score = "25.0"
  RuleLabels {
    mitre = ["T1066"]
    }
  PercentileThreshold = "0.1"
  RuleExpression = """DistinctCountBy(alert_name, asset, 'security-alert')=3 && !WasRuleFired('A-ALERT-DISTINCT-NAMES')"""
  DependencyExpression = "NA"
  Aggregation {
    DataExpr = """DistinctCountBy(alert_name, asset, 'security-alert')=3 && !WasRuleFired('A-ALERT-DISTINCT-NAMES')"""
    EventExpr = "TRUE"
  }
}

Rule Attribute

Description

RuleType

Indicates the type of session the rules should be triggered in. The value asset indicates that the rule deals with asset activity.

RuleCategory

A free text description of the use case for the rule. The value Security Alert indicates that the rule deals with alert activity.

ClassifyIf

An expression that indicates when the rule should trigger. The value TRUE means that all the conditions in the RuleExpression attribute must be true in order for the rule to trigger.

RuleEventTypes

An array that indicates which events can trigger the rule. In this example, the rule is triggered when security-alert activity is detected.

FactFeatureName

This value will be displayed when the featureValue field appears in the ReasonTemplate and the AggregateReasonTemplate. In this example, the feature value is src_host, which is a parsed field. For more information about how these attributes work together, see Rule Attributes.

Score

Indicates how the rule should be scored based on its criticality. In this example, the value is 25.0.

RuleLabels

Used for rule tagging. In this example it indicates that the rule is tagged for MITRE technique T1066.

PercentileThreshhold

The percentile below which values are considered anomalous. In this example, the value 0.1 indicates that rule considers events that appear below the 10th percentile to be abnormal.

RuleExpression

Expression that defines under what conditions the rule should trigger. This expression includes the following two conditions and the && operator between them means that both conditions must be true in order for the rule to trigger:

  • DistinctCountBy(alert_name, asset, 'security-alert')=3 – This condition ensures that rule triggers only if three distinct values of security alerts are observed on the asset.

  • !WasRuleFired('A-ALERT-DISTINCT-NAMES') – This condition ensures that the rule does not trigger if it has already triggered.

DependencyExpression

The value NA indicates that the rule is independent of other rules.

Aggregation

This attribute is required for asset-based rules. It includes the following parameters:

  • DataExpr – Specifies the expressions used to trigger the rule.

  • EventExpr – This value is usually TRUE.