Skip to main content

Threat Detection ManagementThreat Detection Management Guide

factFeature Analytics Rule JSON Configuration

As you define a factFeature analytics rule, review the structure and required fields for a factFeature analytics rule.

Let's look at an example JSON configuration for a factFeature analytics rule:

{
    "version":"1",
    "ruleDefinitions": [
        {
            "templateId": "DM-Fact-BPM-Public-AccessBlock",
            "name": "Public access block was removed from an AWS bucket",
            "description": "The public access block of a bucket or an account in AWS was modified to remove public access prevention. This activity  enables the bucket or the entire account to become public to all users.",
            "applicableEvents": [
                {
                    "activity_type": "bucket-accessblock-modify",
                    "platform": "AWS"
                }
            ],
            "detectionReason": "The public access block of bucket ${event.bucket_name} was removed",
            "type": "factFeature",
            "mitre": [
                {
                    "techniqueKey": "T1530",
                    "technique": "Data from Cloud Storage",
                    "tactic": "Collection",
                    "tacticKey": "TA0009"
                }
            ],
            "useCases": [
                "Cloud Data Protection"
            ],
            "trainOnCondition": "true",
            "actOnCondition": "containsAny(toLower(operation), 'putbucketpublicaccessblock', 'putaccountpublicaccessblock') && (toLower(restrict_public_buckets)='false' || toLower(block_public_policy)='false' || toLower(block_public_acls)='false' || toLower(ignore_public_acls)='false')",
            "value": "true",
            "suppressThreshold": "10 minutes",
            "suppressScope": "
            "scoreUnless": [
                "Prof-WinSC-E-O-DE"
            ],
            "familyId": "bucket-permission-modification-activity",
            "ruleGroupId": "bpm-public-group"
        }
    ]
}

An analytics rule is a JSON object that includes two mandatory fields: version and ruleDefinitions.

version indicates the layout version. It tracks the layout version if there are any updates to the layout or the New-Scale Security Operations Platform. Currently, the version is 1.

ruleDefinitions contains one or more rule definitions. The value of ruleDefinitions is an array. The array contains an object, and each object is a rule definition. The rule definition contains the fields that define an analytics rule and how it functions. Some fields are mandatory for the analytics rule to function while other fields are optional.

Ensure you include all necessary fields for your analytics rule to work as you expect and ensure all field values meet the requirements for a factFeature rule:

Field

Description

Mandatory or Optional

Value Requirements

templateId

A unique identifier associated with the analytics rule.

Mandatory

  • Must be a string

  • Maximum 128 characters

  • For custom analytics rules, we recommend that you prefix the ID with C_.

name

The analytics rule name.

Mandatory

  • Must be a string

  • Maximum 256 characters

description

A description of the analytics rule.

Optional

  • Must be a string

  • Maximum 1024 characters

applicableEvents

The type of events the analytics rule evaluates.

Mandatory

  • Must be an array of objects. Each object is a condition an event must meet for the analytics rule to evaluate the event.

  • Conditions define the Common Information Model (CIM) fields an event must contain for the analytics rule to evaluate the event.

  • There is an or relationship between conditions; an event must meet at least one of, not all, the conditions for the analytics rule to evaluate the event. If an event doesn't meet any of the conditions, the analytics rule doesn't evaluate the event.

detectionReason

A dynamic name describing the rule and why it triggered on a specific event. It elaborates on the name field and adds detail specific to the specific event on which it triggered. It is displayed in Threat Center detections:

The detection reason for a Threat Center analytics rule detection.

Mandatory

  • Must be a string

  • Maximum 256 characters

  • To customize the detectionReason to the event on which it triggered, insert dynamic variables for events, triggers, and entities:

    • To insert a dynamic variable for an event, use the syntax ${event.field_name}.

    • To insert a dynamic variable for a trigger, use the syntax c${trigger.fieldname}

    • To insert a dynamic variable for an entity, use the syntax ${entity.attribute_name}

type

The analytics rule type.

Mandatory

  • Must be the string "factFeature"

mitre

The MITRE ATT&CK® tactics and techniques associated with the analytics rule.

Optional

  • Must be an array of objects. Each object represents an ATT&CK technique and corresponding tactic.

  • Each object must contain the following keys and their values:

    • techniqueKey

    • technique

    • tactic

    • tacticKey

  • The value of techniqueKey must be an existing ATT&CK technique ID. It must correspond with the value of technique.

  • The value of technique must be an existing ATT&CK technique name. It must correspond with the value of techniqueKey.

  • The value of tactic must be an existing ATT&CK tactic name. It must correspond with the value of tacticKey.

  • The value of tacticKey must be an existing ATT&CK tactic ID. It must correspond with the value of tactic.

useCases

Exabeam use case associated with the analytics rule.

Optional

Must be an array of strings. Each string must be an existing Exabeam use case:

  • Abnormal Authentication & Access

  • Account Manipulation

  • Audit Tampering

  • Brute Force Attack

  • Cloud Data Protection

  • Compromised Credentials

  • Cryptomining

  • Data Access

  • Data Exfiltration

  • Data Leak

  • Destruction of Data

  • Evasion

  • Lateral Movement

  • Malware

  • Phishing

  • Physical Security

  • Privilege Abuse

  • Privilege Escalation

  • Privileged Activity

  • Ransomware

  • Workforce Protection

trainOnCondition

The events on which the analytics rule trains.

Optional

  • Must be a string

  • If the analytics rule trains on all events, string is "true"

  • If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule trains. Ensure you use valid expression syntax.

actOnCondition

A high-level filter for the events on which the analytics rule triggers.

Optional

  • Must be a string

  • If the analytics rule triggers on all events, string is "true"

  • If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule triggers. Ensure you use valid expression syntax.

value

The expression used to evaluate whether the conditions required for the rule to trigger are true.

Mandatory

  • Must be a string

  • If all conditions are met when the analytics rule triggers, then string is "true". For most analytics rules, the value of value is "true".

  • To differentiate between triggers, string can be an expression that defines the specific conditions required for the rule to trigger. Ensure you use valid expression syntax.

suppressThreshold

How long the analytics rule is suppressed after it's first triggered.

When a rule over-triggers, it creates noise, can indicate it's detecting false positives, and cause alert fatigue. To prevent the analytics rule from over-triggering, you can suppress the rule from triggering repeatedly.

For example, if you set suppressThreshold to two minutes, if a the analytics rule triggers once, then triggers again within two minutes, the second trigger is suppressed.

Mandatory

  • Must be a string

  • Must be a minimum of 1 minute and maximum of 10 minutes

suppressScope

The field value on which the analytics rule is suppressed from triggering.

To prevent the analytics rule from over-triggering, you can suppress the rule from triggering repeatedly on the values of a specified field. For example, you can suppress the rule from over-triggering on a specific user or an entire network.

When the analytics rule is suppressed, it triggers on the first event with a specific field value but is suppressed for all subsequent events with the same field value.

Optional

  • Must be a string

  • String is an expression that defines the field value on which the analytics rule is suppressed from triggering. Ensure you use valid expression syntax.

scoreUnless

A list of analytics rules. If any analytics rule in the list triggers, the given analytics rule doesn't trigger.

Optional

  • Must be an array of strings

  • Each string must be an analytics rule templateID.

familyId

The analytics rule family to which the rule belongs.

Mandatory

  • Must be a string

  • Must refer to the ID of an existing analytics rule family

ruleGroupId

The analytics rule group to which the rule belongs.

Mandatory

  • Must be a string

  • Must refer to the ID of an existing analytics rule group

  • The analytics rule group must belong under the analytics rule family specified in the familyId field.