Skip to main content

Threat Detection ManagementThreat Detection Management Guide

profiledFeature Analytics Rule JSON Configurationh

As you define a profiledFeature analyics rule, review an example JSON configuration and the required fields for a profiledFeature analytics rule.

Let's look at an example JSON configuration for a profiledFeature analytics rule:

{
    "version":"1",
    "ruleDefinitions": [
        {
            "templateId": "DM-Prof-WinSC-E-DE-DZ-test",
            "name": "First service creation on this endpoint for this destination zone",
            "description": "This is the first time a service creation has been observed on this endpoint for this destination network zone.",
            "applicableEvents": [
                {
                    "activity_type": "service-create",
                    "platform": "Windows"
                }
            ],
            "detectionReason": "First service creation on ${entity.device.dest} for network zone ${trigger.feature_value}",
            "type": "profiledFeature",
            "mitre": [
                {
                    "techniqueKey": "T1543",
                    "technique": "Create or Modify System Process: Windows Service",
                    "tactic": "Privilege Escalation",
                    "tacticKey": "TA0004"
                }
            ],
            "useCases": [
                "Malware"
            ],
            "scopeValue": "EntityId('type: Device && direction: Dest')",
            "featureValue": "dest_zone",
            "trainOnCondition": "true",
            "actOnCondition": "true",
            "scoreUnless": [
                "Prof-WinSC-E-O-DE"
            ],
            "anomalyThreshold": "90 days",
            "checkScopeMaturity": true,
            "checkFeatureMaturity": true,
            "maturityThreshold": "14 days",
            "familyId": "windows-service-creation-activity",
            "ruleGroupId": "wsc-dest-endpoint-access-group"
        }
    }
}

An analytics rule is a JSON object that includes two mandatory fields: version and ruleDefinitions.

version indicates the layout version. It tracks the layout version if there are any updates to the layout or the New-Scale Security Operations Platform. Currently, the version is 1.

ruleDefinitions contains one or more rule definitions. The value of ruleDefinitions is an array. The array contains an object, and each object is a rule definition. The rule definition contains the fields that define an analytics rule and how it functions. Some fields are mandatory for the analytics rule to function while other fields are optional.

Ensure you include all necessary fields for your analytics rule to work as you expect and all field values meet the requirements for a profiledFeature rule:

Field

Description

Mandatory or Optional

Value Requirements

templateId

A unique identifier associated with the analytics rule.

Mandatory

  • Must be a string

  • Maximum 128 characters

  • For custom analytics rules, we recommend that you prefix the ID with C_.

name

The analytics rule name.

Mandatory

  • Must be a string

  • Maximum 256 characters

description

A description of the analytics rule.

Optional

  • Must be a string

  • Maximum 1024 characters

applicableEvents

The type of events the analytics rule evaluates.

Mandatory

  • Must be an array of objects. Each object is a condition an event must meet for the analytics rule to evaluate the event.

  • Conditions define the Common Information Model (CIM) fields an event must contain for the analytics rule to evaluate the event.

  • There is an or relationship between conditions; an event must meet at least one of, not all, the conditions for the analytics rule to evaluate the event. If an event doesn't meet any of the conditions, the analytics rule doesn't evaluate the event.

detectionReason

A dynamic name describing the rule and why it triggered on a specific event. It elaborates on the name field and adds detail specific to the specific event on which it triggered. It is displayed in Threat Center detections:

The detection reason for a Threat Center analytics rule detection.

Mandatory

  • Must be a string

  • Maximum 256 characters

  • To customize the detectionReason to the event on which it triggered, insert dynamic variables for events, triggers, and entities:

    • To insert a dynamic variable for an event, use the syntax ${event.field_name}.

    • To insert a dynamic variable for a trigger, use the syntax c${trigger.fieldname}

    • To insert a dynamic variable for an entity, use the syntax ${entity.attribute_name}

type

The analytics rule type.

Mandatory

  • Must be the string "profiledFeature"

useCases

Exabeam use case associated with the analytics rule.

Optional

Must be an array of strings. Each string must be an existing Exabeam use case:

  • Abnormal Authentication & Access

  • Account Manipulation

  • Audit Tampering

  • Brute Force Attack

  • Cloud Data Protection

  • Compromised Credentials

  • Cryptomining

  • Data Access

  • Data Exfiltration

  • Data Leak

  • Destruction of Data

  • Evasion

  • Lateral Movement

  • Malware

  • Phishing

  • Physical Security

  • Privilege Abuse

  • Privilege Escalation

  • Privileged Activity

  • Ransomware

  • Workforce Protection

mitre

The MITRE ATT&CK® tactics and techniques associated with the analytics rule.

Optional

  • Must be an array of objects. Each object represents an ATT&CK technique and corresponding tactic.

  • Each object must contain the following keys and their values:

    • techniqueKey

    • technique

    • tactic

    • tacticKey

  • The value of techniqueKey must be an existing ATT&CK technique ID. It must correspond with the value of technique.

  • The value of technique must be an existing ATT&CK technique name. It must correspond with the value of techniqueKey.

  • The value of tactic must be an existing ATT&CK tactic name. It must correspond with the value of tacticKey.

  • The value of tacticKey must be an existing ATT&CK tactic ID. It must correspond with the value of tactic.

scopeValue

The event field on which the model for the analytics rule trains; typically an object or entity.

Mandatory

featureValue

The event field on which the model for the analytics rule trains for the scopeValue. For example, if scopeValue is hostname and featureValue is process, the model trains on the behavior of processes executed on hostnames.

Mandatory

  • Must be a string

  • Must be different from the value of scopeValue

trainOnCondition

The events on which the analytics rule trains.

Mandatory

  • Must be a string

  • If the analytics rule trains on all events, string is "true"

  • If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule trains. Ensure you use valid expression syntax.

actOnCondition

A high-level filter for the events on which the analytics rule triggers.

Mandatory

  • Must be a string

  • If the analytics rule triggers on all events, string is "true"

  • If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule triggers. Ensure you use valid expression syntax.

scoreUnless

A list of analytics rules. If any analytics rule in the list triggers, the given analytics rule doesn't trigger.

Optional

  • Must be an array of strings

  • Each string must be an analytics rule templateID.

anomalyThreshold

The period of time the model for the analytics rule remembers and trains on an observed data point. After this period, the model forgets the data point and the analytics rule can trigger on the data point again.

Mandatory

  • Must be a string; for example, "90 days"

  • Must be a minimum of 1 day and maximum of 365 days

checkScopeMaturity

Whether the rule should learn more about the entities defined in scopeValue before triggering. Ensures the associated model has a good baseline for normal behavior.

Optional

  • Must be a boolean value

  • If true, you must include

checkFeatureMaturity

Whether the rule should learn more about the entity attribute defined in featureValue. Ensures the associated model has a good baseline for what's normal.

Optional

  • Must be a boolean value

  • If true, you must include

maturityThreshold

The duration of the training period for checkScopeMaturity and checkFeatureMaturity.

Optional

  • Include only if the value of checkScopeMaturity and/or checkFeatureMaturity is true.

  • Must be a string; for example, "14 days"

  • Must be a minimum of 1 day and maximum of 28 days

familyId

The analytics rule family to which the rule belongs.

Mandatory

  • Must be a string

  • Must refer to the ID of an existing analytics rule family

ruleGroupId

The analytics rule group to which the rule belongs.

Mandatory

  • Must be a string

  • Must refer to the ID of an existing analytics rule group

  • The analytics rule group must belong under the analytics rule family specified in the familyId field.