Model-based Rule - User
This example shows a rule based on user behavior. It is used to detect first-time security alerts for a user. Because the rule uses historical data from a corresponding model, it is considered a model-based rule. The corresponding model is named in the value of the Model attribute. For more information about the rule attributes, see the table below the example.
For a look at the model attributes on which the rule is based, see The Corresponding Model below the rule.
The Rule
SA-UA-F {
RuleName = "First security alert name for user"
RuleDescription = "This is the first occurrence of this security alert name for the user"
ReasonTemplate = "First security alert with name {default|featureValue|histogram} for user"
AggregateReasonTemplate = "First security alert name for user: {default|featureValue|histogram}"
RuleType = "session"
RuleCategory = "Security Alert"
ClassifyIf = """count(alert_name,'security-alert')=1"""
RuleEventTypes = [ "security-alert" ]
Disabled = "FALSE"
Model = "SA-UA"
FactFeatureName = "alert_name"
Score = "10.0"
RuleLabels {
mitre = ["T1078"]
}
PercentileThreshold = "0.1"
RuleExpression = """num_observations=0"""
DependencyExpression = "NA"
}Rule Attribute | Description |
|---|---|
RuleType | The value |
RuleCategory | A free text description of the use case for the rule. The value |
ClassifyIf | An expressions that indicates the frequency with which the model-based rule should trigger. In this example, the following expression indicates that the rule should trigger once per
|
RuleEventTypes | An array that indicates which events can trigger the rule. In this example, the rule is triggered when a |
Model | Indicates the model that the rule depends on for trained data. In this example, the value indicates that the rule is based on the |
FactFeatureName | This value will be displayed when the |
Score | Indicates how the rule should be scored based on its criticality. In this example, the value is |
RuleLabels | Used for rule tagging. In this example it indicates that the rule is tagged for MITRE technique |
PercentileThreshhold | The percentile below which values are considered anomalous. In this example, the value |
RuleExpression | Expression that defines under what conditions the rule should trigger. In this example, the following expression indicates that the rule should trigger only if the current value has not been observed before (in other words, only for a first occurrence of each alert):
|
DependencyExpression | The value |
The Corresponding Model
This is the model that the example rule above is based on. It models security alert names for a user. For more information about how the attributes of a model work, see Model Attributes.
SA-UA {
ModelTemplate = "Security alert names for user"
Description = "Models security alert names for the user"
Category = "Other"
IconName = ""
ScopeType = "USER"
Scope = """user"""
Feature = """alert_name"""
FeatureName = "alert_name"
FeatureType = "alert_name"
TrainIf = """count(alert_name,'security-alert')=1"""
ModelType = "CATEGORICAL"
AgingWindow = "32"
CutOff = "5"
Alpha = "0.8"
MaxNumberOfBins = "1000000"
ConvergenceFilter = "confidence_factor>=0.8"
HistogramEventTypes = [ "security-alert" ]
Disabled = "FALSE"
}