Creating Matching or Join Conditions
This topic applies to standard rules only. It provides examples for creating matching or join conditions and suggestions for optimizing the use of resources to process such rules.
About:
A matching or join condition is a condition statement that joins two data fields with the Matching or Join condition logic operator on the Conditions tab. Creating matching or join conditions using data fields provides the flexibility of creating conditions without knowing the specific data field's values. You can create the following join data field conditions:
-
Same data field for two events use this format:
EventOne <data field A> <logic operator> EventTwo <data field A>
. For example,EventOne Source Address = EventTwo Source Address
. In this example, both event data fields must have the same value. This rule is useful when monitoring activity from an unknown Source Address that is generating numerous events. -
Different data fields for two events use this format:
EventOne <data field A> <logic operator> EventTwo <data field B>
. For example,EventOne Source Address = EventTwo Target Address
. In this example, the Source Address of the first event must equal the Target Address of the second event. -
Different data fields for the same event use this format:
EventOne <data field A> <logic operator> EventOne <data field B>
. For example,EventOne Source Address = EventOne Target Address
. In this example, the Source Address must equal the Target Address of the same event.Note: There is a relatively high memory cost for join rules with low-selectivity join conditions (such as same source IP address or same target IP address). Just like SQL queries, the more selective the conditions (the conditions on the individual events as well as the join conditions), the less expensive it is to execute, because fewer conditions match.
You can reduce the correlation engine's memory consumption by as much as 50% in some cases through some techniques. When authoring a rule, you order conditions on the events to be correlated (or joined) by placing the most restrictive conditions first; for example, adding join conditions like event1's Source Address = event2's Source Address
or event2's Detect Time = event1's Detect Time
.
If your condition specifies more than one event alias, you can set any or all of them with the Consume After Match flag. This means that if a matching event is found and the rule is triggered, the rule will not correlate the event any further. Without the Consume After Match flag, the event is kept in working memory even after a matching event is found and the rule has been triggered. The event alias continues to be combined with events matching other aliases until the event itself expires.
If enabled, the Consume flag appears next to the event alias on the Conditions tab:
EventOne (Consume after match)
Tip: See also Optimizing the Evaluation of Event Conditions.
Note: Lightweight and pre-persistence rules have only one event, therefore, the Consume After Match option is not available.
To create a rule with matches or joins (with two or more events):
-
In the Rules resource tree, right-click a rule and choose Edit Rule.
-
In the Rules Editor, select the Conditions tab.
-
Select the Matching Event branch and:
-
Select New Logical Operator.
-
Select And, Or, or Not.
-
Add the second event that is tied to the first event.
When adding join conditions, you need to decide how the new condition ties to the existing events in the rule. If you use And, the new join condition must occur, in addition to the existing events, to trigger the rule. If you use Or, the new join condition or the existing events must occur. If you use Not, all but the new join condition must occur. The logical operator appears as a branch under Joins.
-
-
Click the (Join Condition) button or right-click the logical operator and select New Join Condition.
A condition statement appears, displaying event, data field, and logic operator text fields. These fields are combined to create
<event> <data field> <logic operator> <event> <data field>
condition statements. For example, if monitoring for the same Source Address data field inEventOne
andEventTwo
, the condition statement would beEventOne Source Address = EventTwo Source Address
. -
Select one of the following join data field conditions to use in the following steps:
-
When monitoring for the same data fields for two events use
EventOne
<data field A>
<logic operator>
EventTwo
<data field A>
. -
When monitoring for different data fields for two events use
EventOne
<data field A>
<logic operator>
EventTwo
<data field B>
. -
In the text fields, select an event and data field from the drop-down menus.
Select data fields that you want to monitor but for which you do not have values. For more information, see Data Fields.
-
Select a logic operator from the drop-down menu.
-
Select an event and data field from the drop-down menus.
-
Optionally right-click and select Consume After Match on one, some, or all of the event aliases.
Doing so reduces the number of rule firings by using the matching event in only one join.
-
Click OK.
The join data field condition appears as a branch under the Matching Event logical operator.
-
On the Conditions tab, click OK.
See also Logical Operators, Condition Tree Command Buttons, Condition Tree Context Menu Commands, Common Conditions Editor (CCE), and Adding Conditions.