Threshold rule example
Threshold rule definition
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <threshold count="3" interval="900s">
<detection> <definition>
<process> <operator type="or"> <condition component="FileItem" property="FileName" condition="is" value="notepad.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe"/> </operator> </process>
<operations> <operation type="Detection"> <operator type="or"> <condition component="InspectDetection" property="RuleName" condition="contains" value="PB000"/> <condition component="InspectDetection" property="RuleName" condition="contains" value="PB001"/> </operator> </operation> </operations>
</definition> </detection>
<aggregateOn> <property name="ParentProcess"/> </aggregateOn>
<cardinality> <property name="ruleName" value="2" /> </cardinality>
</threshold> </definition>
<actions> <action name="ReportIncident" /> </actions>
<description> <name>test threshold rule</name> <category>default</category> </description> </rule> |
Supporting rules
1. Rule PB000 (notepad)
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <process> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad"/> </process> </definition> <description> <name>notepad [PB000]</name> <category> Default </category> </description> </rule> |
2. Rule PB001 (cmd)
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <process> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="cmd"/> </process> </definition> <description> <name>cmd [PB001]</name> <category> Default </category> </description> </rule> |
Things to notice in the rule example above:
This Threshold rule triggers an incident when specific conditions are met within a given interval.
Trigger explanation:
1.Threshold count and interval:
oThe threshold rule is triggered (incident created) if three detections occur within 900 seconds.
2.Detection:
oThe process section specifies the monitored processes: notepad.exe and cmd.exe.
oIn this example, the process section is optional because the specific rules (PB000 and PB001) already define the processes being monitored.
oThe operations section specifies the conditions based on rule names (PB000 and PB001).
3.AggregateOn (optional):
oIn this example, aggregateOn is set to ParentProcess. Because all types of aggregation imply computer aggregation, the detections must occur on the same computer with the same ParentProcess.
4.Cardinality (optional):
oThe cardinality specifies that the detections must occur from at least two different rules (ruleName value is 2).
5.Actions:
oThe only supported action is ReportIncident. All other parameters (aggregateOn and aggregationParameter) are ignored and should not be used in the threshold rule.
oWithout this action, the threshold rule will not create an incident.
Example scenarios:
•1 detection of PB000 and 2 detections of PB001.
•2 detections of PB000 and 1 detection of PB001.
•3 detections of PB000 and 10 detections of PB001.
•Other combinations that meet the conditions:
oThe total detection count must be 3 or more.
oAt least 2 different rules must be triggered.