Rule Attributes
Attributes are the expressions that comprise a rule. They contain the logical expressions that define unwanted or malicious behavior, or behavior you want to be alerted on. The table below provides definitions and examples of possible rule attributes.
Attribute | Definition | Example |
---|---|---|
Rule ID | A unique string identifier for a rule. It represents the name of the HOCON block in the rule configuration file. If a subsequent rule in the configuration file has the same key, the first rule will be overwritten. This value can be used when searching for a rule. |
|
RuleName | A free text description of the rule. This text appears in the UI. It can also be used to identify a rule. |
|
RuleDescription | Text providing more details about the rule. This description appears in the UI when the rule details are expanded. |
|
ReasonTemplate | Text that appears in the UI to explain the rule. The following placeholder field is replaced with event-specific values when rendered in the UI:
This placeholder field includes the following elements:
|
|
AggregateReasonTemplate | Rules that trigger multiple times in a session will be aggregated when the session is reviewed in the UI. The The following placeholder field is replaced with event-specific values when rendered in the UI:
For an explanation of the elements of the placeholder field, see the |
|
RuleType | Indicates the type of session or sequence a rule should be triggered in. Possible values include |
|
RuleCategory | Free text field describing a category or classification for a rule. Rules are grouped under this value in the rule editor UI. |
|
ClassifyIf | Expressions that indicate when, or how often, a rule should trigger. The expression in the example on the right ensures that the rule will trigger once per printer name. For model-based rules, these expressions work with the values in the For fact-based rules, the value for this expression must be |
|
RuleEventTypes | Array indicating which type of event can trigger the rule. |
|
Disabled | Indicates whether or not the rule is disabled. |
|
Model | Indicates the model that a model-based rule depends on for trained data. If the rule is fact-based, the value for this attribute will be |
|
FactFeatureName | This value will be shown when the placeholder |
|
Score | Indicates how the rule should be scored based on its criticality. In Advanced Analytics I46 and later, the value can be an expression. For example:
This score will be adjusted based on the data if Histogram shaping and Bayesian scoring are enabled. Negative values can be used to reduce session risk. |
|
ScoreTarget | For asset-based rules with both a destination and a source host, this attribute indicates where the scoring points should be applied. In the example on the right, the target is the |
|
RuleLabels | Currently used for rule tagging to show the MITRE ATT&CK coverage. The example on the right indicates that the rule is tagged for MITRE technique |
|
PercentileThreshold | Percentile below which values are considered anomalous. In the example of the right, the value The value of this attribute is used to calculate | 0.1 |
RuleExpression | Expression that defines under what conditions a rule should trigger. Expressions can incorporate any parsed field. If multiple conditions must be true for a rule to trigger, the conditions can be joined together with the Rules that are based on user behavior often use expressions such as Rules based on asset activity can use The following are some commonly used expressions for model-based rules:
|
|
DependencyExpression | Indicates that triggering the rule is dependent on whether or not another rule for the same event has triggered. Other rules are referenced by ID and can be used in Boolean operations, for example: A value of |
|