contextFeature Analytics Rule JSON Configuration

As you define your own contextFeature analytics rule, review the structure and required fields for a contextFeature analytics rule.

Let's look at an example JSON configuration for a contextFeature analytics rule:

{
    "version":"1",
    "ruleDefinitions": [
        {
            "templateId": "DM-Cntx-PC-Critical-Sniffer",
            "name": "Process is a sniffing tool: True\\False",
            "description": "Process is a sniffing tool: True\\False",
            "applicableEvents": [
                {
                    "activity_type": "process-create"
                }
            ],
            "detectionReason": "Process is a sniffing tool: ${trigger.value}",
            "type": "contextFeature",
            "mitre": [
                {
                    "techniqueKey": "T1040",
                    "technique": "Network Sniffing",
                    "tactic": "Credential Access",
                    "tacticKey": "TA0006"
                },
                {
                    "techniqueKey": "T1040",
                    "technique": "Network Sniffing",
                    "tactic": "Discovery",
                    "tacticKey": "TA0007"
                }
            ],
            "useCase": [
                    "Compromised Credentials"
            ],
            "trainOnCondition": "true",
            "actOnCondition": "true",
            "value": "ContextListContains('Net Sniffer Processes', toLower(process_name))",
            "familyId": "process-creation-activity",
            "ruleGroupId": "pc-critical-process-context-group"
        }
    ]
}

An analytics rule is a JSON object that includes two mandatory fields: version and ruleDefinitions.

version indicates the layout version. It tracks the layout version if there are any updates to the layout or the New-Scale Security Operations Platform. Currently, the version is 1.

ruleDefinitions contains one or more rule definitions. The value of ruleDefinitions is an array. The array contains an object, and each object is a rule definition. The rule definition contains the fields that define an analytics rule and how it functions. Some fields are mandatory for the analytics rule to function while other fields are optional.

Ensure you include all necessary fields for your analytics rule to work as you expect and ensure all field values meet the requirements for a contextFeature rule:

Field	Description	Mandatory or Optional	Value Requirements
templateId	A unique identifier associated with the analytics rule.	Mandatory	Must be a string Maximum 128 characters For custom analytics rules, we recommend that you prefix the ID with C_.
name	The analytics rule name.	Mandatory	Must be a string Maximum 256 characters
description	A description of the analytics rule.	Optional	Must be a string Maximum 1024 characters
applicableEvents	The type of events the analytics rule evaluates.	Mandatory	Must be an array of objects. Each object is a condition an event must meet for the analytics rule to evaluate the event. Conditions define the Common Information Model (CIM) fields an event must contain for the analytics rule to evaluate the event. There is an or relationship between conditions; an event must meet at least one of, not all, the conditions for the analytics rule to evaluate the event. If an event doesn't meet any of the conditions, the analytics rule doesn't evaluate the event.
detectionReason	A dynamic name describing the rule and why it triggered on a specific event. It elaborates on the `name` field and adds detail specific to the specific event on which it triggered. It is displayed in Threat Center detections:	Mandatory	Must be a string Maximum 256 characters To customize the `detectionReason` to the event on which it triggered, insert dynamic variables for events, triggers, and entities: To insert a dynamic variable for an event, use the syntax `${event.field_name}`. To insert a dynamic variable for a trigger, use the syntax c`${trigger.fieldname}` To insert a dynamic variable for an entity, use the syntax `${entity.attribute_name}`
type	The analytics rule type.	Mandatory	Must be the string `"contextFeature"`
mitre	The MITRE ATT&CK^® tactics and techniques associated with the analytics rule.	Optional	Must be an array of objects. Each object represents an ATT&CK technique and corresponding tactic. Each object must contain the following keys and their values: `techniqueKey` `technique` `tactic` `tacticKey` The value of `techniqueKey` must be an existing ATT&CK technique ID. It must correspond with the value of `technique`. The value of `technique` must be an existing ATT&CK technique name. It must correspond with the value of `techniqueKey`. The value of `tactic` must be an existing ATT&CK tactic name. It must correspond with the value of `tacticKey`. The value of `tacticKey` must be an existing ATT&CK tactic ID. It must correspond with the value of `tactic`.
useCases	Exabeam use case associated with the analytics rule.	Optional	Must be an array of strings. Each string must be an existing Exabeam use case: Abnormal Authentication & Access Account Manipulation Audit Tampering Brute Force Attack Cloud Data Protection Compromised Credentials Cryptomining Data Access Data Exfiltration Data Leak Destruction of Data Evasion Lateral Movement Malware Phishing Physical Security Privilege Abuse Privilege Escalation Privileged Activity Ransomware Workforce Protection
trainOnCondition	The events on which the analytics rule trains.	Optional	Must be a string If the analytics rule trains on all events, string is `"true"` If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule trains. Ensure you use valid expression syntax.
actOnCondition	A high-level filter for the events on which the analytics rule triggers.	Optional	Must be a string If the analytics rule triggers on all events, string is `"true"` If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule triggers. Ensure you use valid expression syntax.
value	The specific piece of context data the analytics rule identifies.	Mandatory	Must be a string String must be a valid expression that defines the context data the analytics rule identifies. Ensure you use valid expression syntax.
scopeValue	The event field on which the model for the analytics rule trains; typically an object or entity.	Mandatory	Must be a string Must refer to an existing entity attribute Must use valid expression syntax
scoreUnless	A list of analytics rules. If any analytics rule in the list triggers, the given analytics rule doesn't trigger.	Optional	Must be an array of strings Each string must be an analytics rule `templateID`.
anomalyThreshold	The period of time the model for the analytics rule remembers and trains on an observed data point. After this period, the model forgets the data point and the analytics rule can trigger on the data point again.	Mandatory	Must be a string; for example, `"90 days"` Must be a minimum of 90 days and maximum of 120 days
checkScopeMaturity	Whether the rule should learn more about the entities defined in `scopeValue` before triggering. Ensures the associated model has a good baseline for normal behavior.	Optional	Must be a boolean value If true, you must include
maturityThreshold	The duration of the training period for `checkScopeMaturity`.	Optional	Must be a string; for example, `"14 days"` Must be a minimum of 1 day and maximum of 28 days
query	A query that retrieves the specific events that triggered the analytics rule. In many cases, `query` retrieves the same events defined under `applicableEvents`. The events retrieved using `query` are shown in the Threat Center Threat Timeline, under View All Logs:	Mandatory	Must be a string Must use valid expression syntax
familyId	The analytics rule family to which the rule belongs.	Mandatory	Must be a string Must refer to the ID of an existing analytics rule family
ruleGroupId	The analytics rule group to which the rule belongs.	Mandatory	Must be a string Must refer to the ID of an existing analytics rule group The analytics rule group must belong under the analytics rule family specified in the familyId field.

Threat Detection ManagementThreat Detection Management Guide

Table of ContentsTable of Contents

contextFeature Analytics Rule JSON Configuration