Aggregation in Rules
Hello to all,
I am learning about Rules, and I would like to get an answer to the following question: When creating a rule, MUST there be something coded in the "Unique" or the "Identical" portion of the Aggretion - OR - are the Conditions enough to make the rule fire?
Thank you in advance.
Have a great day!!
There has to be at least one thing in there, even if it is a rule that fires off a single event. Also, without any information "carried over" from the base event to the correlated event, there will be a distinct lack of info in the correlated event to analyze or be useful.
Thank you Johathan!! I appreciate the help.
You mentioned "a rule that files off a single event" and I am wondering - What needs to be coded in Aggregation, or anywhere else in the Rule for that matter, in order to fire the rule based on a single event
If it is firing off of a single event, any field will do. But I think the point he was attempting to make was that, if you dont put any fields in the aggregation, the rule will have no data to reference which results in no context on the rule event.
A good rule of thumb is to put in the fields which you care about for that 'type' of rule...
Examples (these aren't perfect, just examples! 😞
1) User lockout - source ip, source hostname, dest ip, dest hostname, dest username
2) Auditable system hack event - event name, device information (address, hostname, vendor, product), source / destination address/hostname
When the fields are put into the aggregation, it will carry that information over to the rule event, which is beneficial as you dont have to examine the sub-events of the rule to see what triggered the alert.
A word of caution is around the event name aggregation. This can cause rule looping and other unintended consequences if you are not careful.
I think Ray clarified pretty well but just to add, 80% of the time we will be using "identical" and not "unique". A good use case for unique feature is to detect port scan where all the destination ports must be unique for a given period of time.