- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Detect Absent Events or Fields Using Correlation Rules
Build sequences that detect a missing event or field that was previously present.
You may want to detect an absent event or field to identify if you've stopped receiving a specific log and diagnose issues with collecting or ingesting data.
You define the logic to detect an absent event or field in the correlation rule sequence when you create or edit a rule.
In most cases, you create two ordered sequences: the first sequence identifies the events or fields of interest; the second sequence defines the logic for detecting those absent events or fields. For the first sequence, query for events of interest, then define the condition statement as Trigger if the Count of an event or field is More than 1 within a certain period. For the second sequence, enter the same query as the first sequence, then define the condition statement as Trigger if the Count of an event or field is Less than 1 within the same period used in the first sequence. For example, to determine if you've stopped receiving host information from Event Viewer - Security events, create the following correlation rule:
If you use a context table in your query to identify events of interest, you only need to create one sequence where the the condition statement is Trigger if the Count of an event or field is less than 1 within a specified period. For example, to detect if you've stopped receiving BeyondTrust Secure Remote Access events whose host field value appears in the hostname context table, create the following correlation rule:
