Alerting: Step 3: Add Conditions to a Rule Statement

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode
 

When you build a statement, you specify what a rule detects. You add conditions to make further stipulations, such as how many times or when the criteria must occur.

Example

The following graphic shows an example of the conditions for two Rule Builder statements. Combined, the statements and conditions comprise the rule criteria. 

RBCond5F1S.png

This rule detects 5 failed logon attempts followed by one successful logon, which could be the sign that someone has hacked into user account. This is the criteria for the rule:.

  1. 5 failed logons are required.
  2. 1 successful logon must follow the failures
  3. All events must occur within 3 minutes.
  4. Group alerts by user, because steps 1 and 2 must be performed by the same user.

Procedure

To add conditions to a rule statement:

  1. In the Conditions section, select a statement and click Edit icon.
  2. For Occurs, enter a value to specify how many occurrences are required to meet the rule criteria.
  3. If you have multiple statements, in the Connector field select a logical operator to join one statement to another:
  • followed by
  • not followed by
  • AND
  • OR
  1. Correlated On applies only to not followed by.
    If you selected not followed by in the previous step, type the meta key that must not come next.
  2. If events must happen within a specific timeframe, enter a number of minutes in the Occurs Within field.
  3. If one meta key must be the same in each statement, enter the key in the Group By field. For example, in the rule that detects 5 failed logon attempts followed by 1 successful attempt, the user must be the same so user_dst is the Group By meta key.
You are here: Add Rules to the Rule Library > Add a Rule Builder Rule > Step 3: Add Conditions to a Rule Statement

Attachments

    Outcomes