Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Model-based Rule - Asset

This example shows a rule based on asset activity. It is used to determine if failed log-on events for an asset should be considered anomalous. Because the rule uses historical data from a corresponding model, it is considered a model-based rule. The corresponding model is named in the value of the Model attribute. For more information about the rule attributes, see the table below the example.

For a look at the model attributes on which the rule is based, see The Corresponding Model below the rule.

The Rule

A-FLSh-Count-Ac {
RuleName = "Abnormal number of failed logons from asset (L)"
RuleDescription = "Extremely abnormal number of failed logons from asset"
ReasonTemplate = "({quantity|featureValue}) failed logons from asset, expected around {quantity|percentileThresholdValue|histogram}"
AggregateReasonTemplate = ""
RuleType = "asset"
RuleCategory = "Failed Logon and Account Lockout"
ClassifyIf = """TRUE"""
RuleEventTypes = ["failed-logon"]
Disabled = "FALSE"
Model = "A-FLSh-Count"
FactFeatureName = "NA"
Score = "40.0"
ScoreTarget = src_host
RuleLabels {
  mitre = ["T1110","T1078"]
  }
PercentileThreshold = "0.1"
RuleExpression = """num_observations<percentile_threshold_count && ConfidenceFactorAboveOrEqual() && percentile_count_distance>5 && !WasRuleFired('A-FLSh-Count-Ac')"""
DependencyExpression = "NA"
Aggregation {
  DataExpr = """!WasRuleFired('A-FLSh-Count-Ac')"""
  EventExpr = "TRUE"
  ModelExpr = """num_observations<percentile_threshold_count && ConfidenceFactorAboveOrEqual() && percentile_count_distance>5"""
  }
}

Rule Attribute

Description

RuleType

Indicates the type of session the rules should be triggered in. The value asset indicates that the rule deals with asset activity.

RuleCategory

A free text description of the use case for the rule. The value Failed Logon and Account Lockout indicates that the rule deals with failed log-on attempts on an asset.

ClassifyIf

An expressions that indicates when the rule should trigger. The value TRUE means that all the conditions in the RuleExpression attribute must be true in order for the rule to trigger.

RuleEventTypes

An array that indicates which events can trigger the rule. In this example, the rule is triggered when a failed-logon event occurs.

Model

Indicates the model that the rule depends on for trained data. In this example, the value indicates that the rule is based on the A-FLSh-Count model. For a look at the attributes of this model, see The Corresponding Model below.

FactFeatureName

In this example, the value NA means there is no feature name to display in the ReasonTemplate. For more information about how these attributes work together, see Rule Attributes.

Score

Indicates how the rule should be scored based on its criticality. In this example, the value is 40.0.

ScoreTarget

For asset-based rules with both a destination and a source host, this attribute indicates where the scoring points should be applied. In this example, the target is the src_host.

RuleLabels

Used for rule tagging. In this example it indicates that the rule is tagged for MITRE techniques T1110 and T1078.

PercentileThreshhold

The percentile below which values are considered anomalous. In this example, the value 0.1 indicates that rule considers events that appear below the 10th percentile to be abnormal.

RuleExpression

Expression that defines under what conditions the rule should trigger. This expression includes the following conditions and the && operator between them means that all conditions must be true in order for the rule to trigger:

  • num_observations<percentile_threshold_count – This condition indicates that the rule should trigger if the current log-on failure is below the percentile threshhold for the model. What does this mean? Consider a histogram of log-on failure data for the asset. The current failure is categorized in a specific bin, and the number of points in that bin is less than the percentile threshhold count. If adding the new log-on failure to the bin does not increase its count above the threshhold, the log-on failure can be considered anomalous.

  • ConfidenceFactorAboveOrEqual() – This condition ensures that the rule will only trigger if the confidence factor is above or equal to 0.8, which is a global confidence threshhold defined in a configuration file. To specify a different confidence factor, use ConfidenceFactorAboveOrEqual(n).

  • percentile_count_distance>5 – This condition indicates the level of abnormality that will trigger the rule.

  • !WasRuleFired('A-FLSh-Count-Ac') – This condition ensures that the rule does not trigger if it has already triggered.

DependencyExpression

The value NA indicates that the rule is independent of other rules.

Aggregation

This attribute is required for asset-based rules. It includes the following parameters:

  • DataExpr – Specifies the expressions used to trigger the rule.

  • EventExpr – This value is usually TRUE.

  • ModelExpr – Specifies other expressions used in the rule, such as num_observations=0 or ConfidenceFactorAboveOrEqual().

The Corresponding Model

This is the model that the example rule above is based on. It models the number of failed logon events per day experienced by a specific asset. For more information about how the attributes of a model work, see Model Attributes.

A-FLSh-Count {
ModelTemplate = "Count of failed logons from host"
Description = "Models the number of failed logons from this asset"
Category = "Assets"
IconName = ""
ScopeType = "DEVICE"
Scope = """src_host"""
Feature = """DistinctCountBy(event_id,src_host,'failed-logon')"""
FeatureName = "activity"
FeatureType = "quantity"
TrainIf = """DistinctCountBy(event_id,src_host,'failed-logon')>0"""
ModelType = "NUMERICAL_CLUSTERED"
AgingWindow = ""
CutOff = "5"
Alpha = "1"
MaxNumberOfBins = "1000000"
ConvergenceFilter = "confidence_factor>=0.8"
HistogramEventTypes = ["sequence-end"]
SequenceTypes = [asset]
Disabled = "FALSE"
}