This topic describes the components of the Rule Builder tab that you use to define rule criteria.
The Rule Builder tab enables you to define a Rule Builder rule.
To access the Rule Builder tab:
- In the Security Analytics menu, select Alerts > Configure.
The Configure view is displayed with the Rules tab open by default.
- In the Rule Library toolbar, select > Rule Builder.
The Rule Builder tab is displayed.
The following figure shows the Rule Builder tab.
The following table lists the parameters in the Rule Builder tab.
|Rule Name||Purpose of the ESA rule.|
|Description ||Summary of what the ESA rule detects.|
|Trial Rule||Deployment mode to see if the rule runs efficiently.|
|Severity ||Threat level of alert triggered by the rule.|
|Query||EPL query that defines rule criteria.|
The Rule Builder tab includes the following components:
- Conditions section
- Notifications section
- Enrichments section
In the Conditions section of the Rule Builder tab, you define what the rule detects.
The following figure shows the Conditions section.
The following table lists the parameters of the Conditions section.
|Add a statement.|
|Remove selected statement.|
|Edit selected statement.|
|Statement||Logical group of conditions for one operation.|
|Occurs||Alert frequency if the condition is met. For a single statement, Occurs is only valid when you use followed by or Group By. This specifies that there must be at least that many events that satisfy the criteria in order to trigger an alert. The time window in minutes binds the Occurs count.|
|Connector||Options to specify relationship among the statements: |
The Connector joins two statements with AND, OR, or followed by. When followed by is used, it specifies that there is a sequencing of those events. AND and OR build one large criteria. The followed by creates distinct criteria that occurs in sequence.
- followed by
- not followed by
|Correlated On||Option for the "Not followed by" connector. Specify the meta key for the field that you want to ensure does not follow in the sequence.|
|occurs within minutes||Alert frequency if all conditions are met.|
|Group By||Meta key by which to group results. For example, suppose that there are three users; Joe, Jane, and John and you use the Group By meta, user_dst. The result will show events grouped under Joe, Jane, and John.|
In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.
For more information on the alert notifications, see Add Notification Method to a Rule.
The following figure shows the Notifications section.
|To add an alert notification type.|
|To delete the selected alert notification.|
|Output||Alert notification type. Options are: |
|Notification||Name of previously configured output, such as an email distribution list.|
|Notification Server||Name of server that sends the output.|
|Template||Name of template for the alert notification.|
|Output Suppression of every ||Option to specify alert frequency.|
|Minutes||Alert frequency in minutes.|
In the Enrichments section, you can add a data enrichment source to a rule.
For more information on the enrichments, see Add an Enrichment to a Rule.
The following figure shows the Enrichments section.
|To add an enrichment.|
|To delete the selected enrichment.|
|Output||Enrichment source type. Options are: |
- In-Memory Table
- External DB Reference
- Warehouse Analytics
|Enrichment Source||Name of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.|
|ESA Event Stream Meta||ESA meta key whose value will be used as one operand of join condition.|
|Enrichment Source Column Name||Enrichment source column name whose value will be used as the other operand of the join condition.|