- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Analytics Rules Syntax
When you create an analytics rule or create an exclusion, ensure you use the correct syntax when creating expressions and using functions.
Analytics rule syntax:
Is case-insensitive
Allows you to nest expressions using parentheses; for example,
((true || false) && (role != "guest"))ensures the expression applies to all users except ones with the guest role.Allows you to reference event fields directly in the expression so the expression dynamically adapts to the actual data it's evaluating; for example,
concat(user, "-", src_host)dynamically concatenates the value ofuseranddeviceas a string.
With analytics rule syntax, you can create expressions that define logical relationships and retrieve, manipulate, and evaluate data for the analytics engine.
Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
Compare the syntax used to write expressions for Advanced Analytics rules in the Fusion and Exabeam Security Operations licenses with the syntax used to write expressions for analytics rules in the New-Scale Security Operations Platform.
Define boolean or other logical relationships using analytics rule syntax.
Manipulate and evaluate string data using analytics rule syntax.
Perform mathematical calculations and other operations involving integers using analytics rule syntax.
Retrieve the time of day, day of the week, or day of the month using analytics rule syntax.
Evaluate IP addresses, hosts, and domains using analytics rule syntax.
Evaluate and retrieve data from context tables using analytics rule syntax.
Evaluate and retrieve entity attributes using analytics rule syntax.
Some analytics rules model a correlation rule. These expressions evaluate and retrieve the value of a correlation rule field from event context using analytics rule syntax.