Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Rule Attributes

Attributes are the expressions that comprise a rule. They contain the logical expressions that define unwanted or malicious behavior, or behavior you want to be alerted on. The table below provides definitions and examples of possible rule attributes.

Attribute

Definition

Example

Rule ID

A unique string identifier for a rule. It represents the name of the HOCON block in the rule configuration file. If a subsequent rule in the configuration file has the same key, the first rule will be overwritten.

This value can be used when searching for a rule.

PR-UP-F

RuleName

A free text description of the rule. This text appears in the UI. It can also be used to identify a rule.

"First print activity from printer for user"

RuleDescription

Text providing more details about the rule. This description appears in the UI when the rule details are expanded.

"This is the first time for this user to print from this printer"

ReasonTemplate

Text that appears in the UI to explain the rule. The following placeholder field is replaced with event-specific values when rendered in the UI:

{default|featureValue|histogram}

This placeholder field includes the following elements:

  • default – Indicates there is no special treatment for the value. Other options include asset, location.country, location.zone, time.day_of_week, time.time_of_week, user, or user.group.

  • featureValue – This element is replaced with a value. In the example to the right it will be replace by a printer name, which is the value from the FactFeatureName attribute. Other options include scopeValue, event, or field_name. The field must be persisted in Mongo for the value to display correctly.

  • histogram – This is an optional element that will link the value to a model instance when clicked.

"First print activity from printer {default|featureValue|histogram} for user"

AggregateReasonTemplate

Rules that trigger multiple times in a session will be aggregated when the session is reviewed in the UI. The RuleName field will appear as the header and, when the aggregated rule is expanded, the text in this AggregateReasonTemplate attribute will be displayed.

The following placeholder field is replaced with event-specific values when rendered in the UI:

{default|featureValue|histogram}

For an explanation of the elements of the placeholder field, see the ReasonTemplate attribute above.

"First print activity from printer for user: {default|featureValue|histogram}"

RuleType

Indicates the type of session or sequence a rule should be triggered in. Possible values include account-lockout, asset, database, endpoint, file, session, or web.

"session"

RuleCategory

Free text field describing a category or classification for a rule. Rules are grouped under this value in the rule editor UI.

"Data Loss Prevention"

ClassifyIf

Expressions that indicate when, or how often, a rule should trigger. The expression in the example on the right ensures that the rule will trigger once per printer name.

For model-based rules, these expressions work with the values in the RuleExpression attribute to further condition when the rule should trigger. The syntax and logic often match the expressions for the TrainIf attribute in the corresponding model.

For fact-based rules, the value for this expression must be TRUE, indicating that the rule should trigger when the conditions in the RuleExpression attribute are met.

"count(printer_name, 'print-activity')=1"

RuleEventTypes

Array indicating which type of event can trigger the rule.

[ "print-activity" ]

Disabled

Indicates whether or not the rule is disabled.

"FALSE"

Model

Indicates the model that a model-based rule depends on for trained data. If the rule is fact-based, the value for this attribute will be FACT.

"PR-UP"

FactFeatureName

This value will be shown when the placeholder featureValue parameter is included in the ReasonTemplate and AggregateReasonTemplate. See the definition above for the ReasonTemplate attribute.

"printer_name"

Score

Indicates how the rule should be scored based on its criticality. In Advanced Analytics I46 and later, the value can be an expression. For example:

multiply(field1,field2)

This score will be adjusted based on the data if Histogram shaping and Bayesian scoring are enabled.

Negative values can be used to reduce session risk.

"10.0"

ScoreTarget

For asset-based rules with both a destination and a source host, this attribute indicates where the scoring points should be applied. In the example on the right, the target is the src_host.

src_host

RuleLabels

Currently used for rule tagging to show the MITRE ATT&CK coverage. The example on the right indicates that the rule is tagged for MITRE technique T1052.

mitre = ["T1052"]

PercentileThreshold

Percentile below which values are considered anomalous. In the example of the right, the value 0.1 indicates that the rule considers events that appear below the 10th percentile to be abnormal.

The value of this attribute is used to calculate RuleExpression values that determine when a rule should trigger.

0.1

RuleExpression

Expression that defines under what conditions a rule should trigger. Expressions can incorporate any parsed field. If multiple conditions must be true for a rule to trigger, the conditions can be joined together with the && operator.

Rules that are based on user behavior often use expressions such as Count, SequenceCount, and DistinctCount to gather session or sequence data.

Rules based on asset activity can use CountBy to gather sequence data.

The following are some commonly used expressions for model-based rules:

  • num_observations – the number of times a feature must appear in order for the rule to trigger. In the example on the right, num_observations=0, a rule will trigger only the first time that a feature appears.

  • probability – the number of times the current value exists in the model divided by the total data points in the model.

  • total_events – the number of data points in the model.

  • num_bins– the number of bins in the model.

  • confidence_factor – the result of the calculation ((N-C)/N)^a, where N = total data points in the model, C = number of bins, and a = alpha.

  • ConfidenceFactorAboveOrEqual() – Ensures that the rule will only trigger if the confidence factor is above or equal to 0.8, which is a global confidence threshhold. The global threshhold is defined in the GlobalConfidenceFactor parameter in a configuration file.

    To specify a difference confidence factor, use ConfidenceFactorAboveOrEqual(n).

  • percentile_threshold_count – Sets a count threshold for the number of points in a histogram bin. Can be used to calculate when data is considered anomalous.

  • percentile_count_distance – Quantifies how anomalous a data point is.

"num_observations=0 && ConfidenceFactorAboveOrEqual()"

DependencyExpression

Indicates that triggering the rule is dependent on whether or not another rule for the same event has triggered. Other rules are referenced by ID and can be used in Boolean operations, for example: (R1 || R2) && !R3

A value of NA indicates that the rule is independent of other rules.

"NA"