Setting or Changing Rule Thresholds

Purpose: To continue the process of creating or editing a rule. Here, you will specify the number of events to be matched within a specified timeframe.

  1. In the Rules Editor, select the Aggregation tab.

  2. In the Number of Matches field, enter a number if you want the rule to match more than one event.

  3. In the Time Frame field, enter a number and select a time unit. For example, enter 2 and select Minutes.

  4. If you want to aggregate on the basis of certain fields' content being distinct, click Add under the Aggregate only if these fields are unique pane to select the fields to use. Select fields from global variables, field sets, and local variables.

    Tip: Fields are unique only when the combined value of all fields is unique. For example, suppose you wanted to aggregate on three fields: Event Name, Event Message, and Category Outcome, with a threshold of two matches. If you received two events both with values of Failed Login, Attempt, and Failure for these fields, respectively, these events would not be aggregated.

    However, if you received only one event like the first example, and another with values of Failed Login, Attempt, and Success, these two events would be aggregated because the combined value is not the same for the given threshold number of events.

    Aggregating on unique fields is applicable when you want to monitor widespread conditions, such as an attack on ten unique systems.

    You can use the rule action to set an event field with a unique aggregation field’s value. See Set Event Field for details.

  5. If you want to aggregate on the basis of certain fields' content being identical, click Add under the Aggregate only if these fields are identical pane to select the fields to use. Select fields from global variables, field sets, and local variables.

  6. Click OK.

The choices you make are expressed as a conditional statement in the Summary panel.

Examples of Grouping Unique or Identical Field Values

You can use aggregation techniques to group unique or identical field values and map them into an active list through the Add to Active List rule action (refer to the rule action, Set Event Field).

Note: When unique field aggregation is used, all list actions (add, remove, terminate) are fired once for each unique value (or set of values). How these values impact the list depends on the configuration of the list and how the unique fields map into that list.

In the following examples, the list has SourceAddress and SourceUserName as key columns.

However, If the list has no key columns or multi-mapped active lists are used, then all columns are functionally keys.

In the Case 1 example below, an AddToActiveList action would be performed twice:

  • If the unique values map to keys in the list (SourceAddress and SourceUserName), the result would be 2 entries, each with a count of 1.
  • If the list key is TargetAddress, the result would be 1 entry (key=2.2.2.2) with a count of 2.

For the following examples, assume there is an event-based active list that maps the following:

IP Address = Source Address

Name = Source User Name

Consider a set of events with the following values:

SourceAddress

SourceUserName

TargetAddress

1.2.3.4

sumerian

2.2.2.2

1.2.3.4

agta

2.2.2.2

1.2.3.4

sumerian

2.2.2.2

1.3.5.7

trojan

2.2.2.2

1.3.5.7

agta

2.2.2.2

Case 1: Unique aggregation on one field

You would like to capture the unique source addresses. The fields in your Aggregation tab would be something like:

Aggregate only if these fields are unique: SourceAddress

Aggregate only if these fields are identical: TargetAddress

After aggregation and through the Add to Active List rule action, the active list entries would consist of:

IP Address

Name

1.2.3.4

sumerian

1.3.5.7

agta

Case 2: Unique aggregation on two fields

Using the same event set, this time the fields in the Aggregation tab would be:

Aggregate only if these fields are unique: SourceAddress, SourceUserName

Aggregate only if these fields are identical: TargetAddress

With the Add to Active List rule action, the active list entries would consist of:

IP Address

Name

1.2.3.4

sumerian

1.2.3.4

agta

1.3.5.7

trojan

1.3.5.7

agta