This topic provides instructions to add conditions, such as specifying a certain time frame, to a rule statement. When you build a statement, you specify what a rule detects. You add conditions to make further stipulations, such as how many times or when the criteria must occur.
The following graphic shows an example of the conditions for two Rule Builder statements. Combined, the statements and conditions comprise the rule criteria.
This rule detects 5 failed logon attempts followed by one successful logon, which could be the sign that someone has hacked into user account. This is the criteria for the rule:
- 5 failed logons are required.
- 1 successful logon must follow the failures
- All events must occur within 5 minutes.
- Group alerts by user (user_dst), because steps A and B must be performed on the same user destination account. Also, group by machine (device_class) to ensure that the user logged in from the same machine attempts to log into an account multiple times.
- The match is a strict pattern, meaning that the pattern must match exactly with no intervening events.
To add conditions to a rule statement:
- In the Conditions section, select a statement and click .
- For Occurs, enter a value to specify how many occurrences are required to meet the rule criteria.
If you have multiple statements, in the Connector field select a logical operator to join one statement to another:
- followed by
- not followed by
Correlated On applies only to not followed by.
If you selected not followed by in the previous step, type the meta key that must not come next.
- If events must happen within a specific timeframe, enter a number of minutes in the Occurs Within field.
- Choose whether the pattern must follow a Strict match or a Loose match. If you specify a strict match, this means that the pattern must occur in the exact sequence you specified with no additional events occurring in between. For example, if the sequence specifies five failed logins (F) followed by a successful login (S), this pattern will only match if the user executes the following sequence: F,F,F,F,F,S. If you specify a loose match, this means that other events may occur within the sequence, but the rule will still trigger if all of the specified events also occur. For example, five failed login attempts (F), followed by any number of intervening successful login attempts (S), followed by a successful login attempt might create the following pattern: F,S,F,S,F,S,F,S,F,S which would trigger the rule despite the intervening successful logins.
- Choose the fields to group by from the dropdown list. The Group by field allows you to group and evaluate the incoming events. For example, in the rule that detects 5 failed logon attempts followed by 1 successful attempt, the user must be the same, so user_dst is the Group By meta key. You can also group by multiple keys. Using the previous example, you might want to group by user and machine to ensure that the same user logged in from the same machine attempts to log into an account multiple times. To do this, you might group by device_class and user_dst.