Highlighted
Absent Member.
Absent Member.
371 views

Aggregation in Rules

Hello to all,

I am learning about Rules, and I would like to get an answer to the following question: When creating a rule, MUST there be something coded in the "Unique" or the "Identical" portion of the Aggretion - OR - are the Conditions enough to make the rule fire?

Thank you in advance.

Have a great day!!

0 Likes
Reply
4 Replies
Highlighted
Absent Member.
Absent Member.

There has to be at least one thing in there, even if it is a rule that fires off a single event. Also, without any information "carried over" from the base event to the correlated event, there will be a distinct lack of info in the correlated event to analyze or be useful.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Thank you Johathan!!  I appreciate the help.

You mentioned "a rule that files off a single event" and I am wondering - What needs to be coded in Aggregation, or anywhere else in the Rule for that matter, in order to fire the rule based on a single event

0 Likes
Reply
Highlighted
Established Member..
Established Member..

If it is firing off of a single event, any field will do.  But I think the point he was attempting to make was that, if you dont put any fields in the aggregation, the rule will have no data to reference which results in no context on the rule event.

A good rule of thumb is to put in the fields which you care about for that 'type' of rule...

Examples (these aren't perfect, just examples! 😞

1) User lockout - source ip, source hostname, dest ip, dest hostname, dest username

2) Auditable system hack event - event name, device information (address, hostname, vendor, product), source / destination address/hostname

When the fields are put into the aggregation, it will carry that information over to the rule event, which is beneficial as you dont have to examine the sub-events of the rule to see what triggered the alert.

A word of caution is around the event name aggregation.  This can cause rule looping and other unintended consequences if you are not careful.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I think Ray clarified pretty well but just to add, 80% of the time we will be using "identical" and not "unique". A good use case for unique feature is to detect port scan where all the destination ports must be unique for a given period of time.

- Amit

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.