Rule Structure
A rule describes a pattern to look for within a given time window.
It contains a list of event group definitions (at least one), and the correlation criteria that are used to join those event groups (if there is more than one event group). A rule can also be valid for only a given period of time.
All mandatory parameters are explained here. The optional parameters are in square brackets [ ].
Valid From yyyy-MM-dd hh:mm:ss To yyyy-MM-dd hh:mm:ss ) ] [ <identifier environment> ] USE <source identifier> (, <source identifier>)* Within <integer> [ d |h | m | s ][Fixed | Sliding ] <event group 1> <event group 2> … [Correlation <correlation criteria 1> <correlation criteria 2> … ] [Autofill] (Set <expression> AS <identifier>)* [Inject Correlation Event] [ LIMIT <integer> CORRELATION EVENTS ]
| Parameter | Description |
|---|---|
| Rule <identifier environment> | The rule name defined using an identifier and the environment. For details, see Identifier Environment. |
| USE | The list of log sources used by the rule. Multiple log sources must be separated by comma (,). |
| Within | The time period is defined as an integer in days, hours, minutes, or seconds. |
| Event Group | Each event group describes the criteria that must combine events to be group together as part of the rule. This is equivalent to a single search in EQL. For details, see Event Group Structure. |
| Correlation <correlation criteria> | The correlation criteria describes the joins and other constraints that various event groups must meet to trigger a rule. For details, see Correlation Criteria. |
| LIMIT | Limit on number of correlation events is only effective for "replay" instances when INJECT CORRELATION EVENT is not set. The default limit is 10,000. |
Copyright © 2020. Cloud Software Group, Inc. All Rights Reserved.