When you build a statement, you specify what a rule detects. You add conditions to make further stipulations, such as how many times or when the criteria must occur.
The following graphic shows an example of the conditions for two Rule Builder statements. Combined, the statements and conditions comprise the rule criteria.
This rule detects 5 failed logon attempts followed by one successful logon, which could be the sign that someone has hacked into user account. This is the criteria for the rule:.
- 5 failed logons are required.
- 1 successful logon must follow the failures
- All events must occur within 3 minutes.
- Group alerts by user, because steps 1 and 2 must be performed by the same user.
To add conditions to a rule statement:
- In the Conditions section, select a statement and click .
- For Occurs, enter a value to specify how many occurrences are required to meet the rule criteria.
- If you have multiple statements, in the Connector field select a logical operator to join one statement to another:
- followed by
- not followed by
- Correlated On applies only to not followed by.
If you selected not followed by in the previous step, type the meta key that must not come next.
- If events must happen within a specific timeframe, enter a number of minutes in the Occurs Within field.
- If one meta key must be the same in each statement, enter the key in the Group By field. For example, in the rule that detects 5 failed logon attempts followed by 1 successful attempt, the user must be the same so user_dst is the Group By meta key.