Setting or Changing Rule Thresholds
Purpose: To continue the process of creating or editing a rule. Here, you will specify the number of events to be matched within a specified timeframe.
-
In the Rules Editor, select the Aggregation tab.
-
In the Number of Matches field, enter a number if you want the rule to match more than one event.
-
In the Time Frame field, enter a number and select a time unit. For example, enter 2 and select Minutes.
-
If you want to aggregate on the basis of certain fields' content being distinct, click Add under the Aggregate only if these fields are unique pane to select the fields to use. Select fields from global variables, field sets, and local variables.
Tip: Fields are unique only when the combined value of all fields is unique. For example, suppose you wanted to aggregate on three fields: Event Name, Event Message, and Category Outcome, with a threshold of two matches. If you received two events both with values of
Failed Login
,Attempt
, andFailure
for these fields, respectively, these events would not be aggregated.However, if you received only one event like the first example, and another with values of
Failed Login
,Attempt
, andSuccess
, these two events would be aggregated because the combined value is not the same for the given threshold number of events.Aggregating on unique fields is applicable when you want to monitor widespread conditions, such as an attack on ten unique systems.
You can use the rule action to set an event field with a unique aggregation field’s value. See Set Event Field for details.
-
If you want to aggregate on the basis of certain fields' content being identical, click Add under the Aggregate only if these fields are identical pane to select the fields to use. Select fields from global variables, field sets, and local variables.
-
Click OK.
The choices you make are expressed as a conditional statement in the Summary panel.
Examples of Grouping Unique or Identical Field Values
You can use aggregation techniques to group unique or identical field values and map them into an active list through the Add to Active List rule action (refer to the rule action, Set Event Field).
Note: When unique field aggregation is used, all list actions (add, remove, terminate) are fired once for each unique value (or set of values). How these values impact the list depends on the configuration of the list and how the unique fields map into that list.
In the following examples, the list has SourceAddress and SourceUserName as key columns.
However, If the list has no key columns or multi-mapped active lists are used, then all columns are functionally keys.
In the Case 1 example below, an AddToActiveList action would be performed twice:
- If the unique values map to keys in the list (SourceAddress and SourceUserName), the result would be 2 entries, each with a count of 1.
- If the list key is TargetAddress, the result would be 1 entry (key=2.2.2.2) with a count of 2.
For the following examples, assume there is an event-based active list that maps the following:
IP Address = Source Address
Name = Source User Name
Consider a set of events with the following values:
SourceAddress |
SourceUserName |
TargetAddress |
---|---|---|
1.2.3.4 |
sumerian |
2.2.2.2 |
1.2.3.4 |
agta |
2.2.2.2 |
1.2.3.4 |
sumerian |
2.2.2.2 |
1.3.5.7 |
trojan |
2.2.2.2 |
1.3.5.7 |
agta |
2.2.2.2 |
Case 1: Unique aggregation on one field
You would like to capture the unique source addresses. The fields in your Aggregation tab would be something like:
Aggregate only if these fields are unique: SourceAddress
Aggregate only if these fields are identical: TargetAddress
After aggregation and through the Add to Active List rule action, the active list entries would consist of:
IP Address |
Name |
---|---|
1.2.3.4 |
sumerian |
1.3.5.7 |
agta |
Case 2: Unique aggregation on two fields
Using the same event set, this time the fields in the Aggregation tab would be:
Aggregate only if these fields are unique: SourceAddress, SourceUserName
Aggregate only if these fields are identical: TargetAddress
With the Add to Active List rule action, the active list entries would consist of:
IP Address |
Name |
---|---|
1.2.3.4 |
sumerian |
1.2.3.4 |
agta |
1.3.5.7 |
trojan |
1.3.5.7 |
agta |