Threshold rules
Threshold rule allows you to create incidents when a defined number of detections occur in a given time period. To see how an entire threshold rule looks, see threshold rules examples topic.
Definition
The threshold rule is defined with <threshold threshold="3" interval="10m">
The threshold parameter specifies the minimum count of how many times the detection has to be triggered for the incident to be created.
The interval parameter specifies the time interval in which the detections have to occur for the incident to be created. The threshold rule will include all detections that match the conditions and are within the interval into the incident.
If any other matching detections are received after the incident has been created but are still within the interval, the incident will be updated to include them.
Possible format for the interval is:
•d - day
•h - hour
•m - minute
•s - second
•ms - millisecond
•us - microsecond
Detection definition
<definition> <process> <operator type="or"> <condition component="FileItem" property="FileName" condition="is" value="notepad.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe"/> </operator> </process>
<operations> <operation type="Detection"> <operator type="or"> <condition component="InspectDetection" property="RuleName" condition="contains" value="PB000"/> <condition component="InspectDetection" property="RuleName" condition="contains" value="PB001"/> </operator> </operation> </operations>
</definition> |
In the detection definition, you can use operations, process and parentprocess tags to specify conditions for incident creation. This part of the rule is not specific to threshold rules and is evaluated as any other rule definition.
The evaluated detections are always specified in the operations section, which can contain InspectDetection and Endpoint components.
The only operator type that makes sense in this section of the threshold rule is or.
AggregateOn
<aggregateOn> <property name="ParentProcess"/> </aggregateOn> |
AggregateOn is optional. This tag allows you to aggregate detections based on a used property. All types of aggregation imply computer aggregation. For example, if you use process, only the detections from the same computer and the same process will be evaluated together.
Possible values are:
•Computer
•Process
•ParentProcess
Cardinality
<cardinality> <property name="ruleName" value="2" /> </cardinality> |
Cardinality is optional. It checks for uniqueness in the detections. In the example above, for the threshold rule to trigger, there should be detections from at least two separate rule names.
Possible values are:
•computerName
•ruleName
Actions
<actions> <action name="ReportIncident" /> </actions> |
The only supported action is ReportIncident. The threshold rule will not create or update incidents without this action specified. Arguments other than name (aggregateOn and aggregationParameter) are ignored when used in the threshold rule.
Expiration time
Server can recieve old detections later in time and they need to be added to the correct incident if it exists. Since evaluating old detections is unwanted, expiration time is set to 24 hours by default. This can be changed in .ini file in Server.EirExpirationInterval value.
If the detection is older than EirExpirationInterval, it will not be evaluated.
If the incident is older than EirExpirationInterval, no new detections will be included.