Alert rule syntax

An alert rule consists of two parts:

Matching expression

A combination of clauses that express a condition on the attributes of an object.

A matching expression has the following format:

object_type . attribute_type: [relation] value

The matching expression consists of four parts:

  • object_type The object type to be matched. The following record type is supported:

    • network_event

    The object type and its attribute is separated by a dot (.).

  • attribute_type The attribute to be matched (see Attribute entries).

    The object_type.attribute_type is separated from the [relation] and value by a colon (:).

  • [relation] The relation between the object and its attribute and the value to match for. If no relation is specified, equality is the default. Supported relation types are:

    • Equality (:)

    • Greater than (>)

    • Less than (<)

  • value The value to match against the object_type.attribute_type of the incoming events.

Multiple matching expressions are separated by the logical operators AND, OR, and NOT.

Actions

One or more modifications to be performed on the object.

An action has the following format:

action : target = value

The action consists of three parts:

  • action The action to be performed (see Supported actions). The action and its target is separated by a colon (:).

  • target The supported target.

  • value The optional value to apply to the target.

Multiple actions are separated by a comma (,) and are applied in the same order in which they were defined.

Attribute entries

  • source

    • client_ip Matches an IP address or an IP address range. Address value must be an exact match.

      (network_event.client_ip: 142.42.1.6/24)

    • other_host_hostname Matches the hostname of the other host associated with the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

      (network_event.other_host_hostname: host.example.com)

    • other_host_in_homenet If true, matches if the IP address of the other host associated with the event is in the home network. Expects a boolean value.

      (network_event.other_host_in_homenet: false)

    • other_host_ip Matches an IP address or an IP address range. Address value must be an exact match.

      (network_event.other_host_ip: 10.10.4.2)

    • other_host_tag Matches a host tag. Select an existing host tag.

      (network_event.other_host_tag: tag)

    • relevant_host_in_homenet If true, matches if the IP address of the relevant host associated with the event is in the home network. Expects a boolean value.

      (network_event.relevant_host_in_homenet: true)

    • relevant_host_ip Matches an IP address or an IP address range. Address value must be an exact match.

      (network_event.relevant_host_ip: 42.6.7.0/16)

    • relevant_host_tag Matches a host tag. Select an existing host tag.

      (network_event.relevant_host_tag: tag)

    • relevant_host_whitelisted Matches silenced source IP address. Expects a boolean value.

      (network_event.relevant_host_whitelisted: true)

    • server_ip Matches an IP address or an IP address range. Address value must be an exact match.

      (network_event.server_ip: 12.6.6.6)

    • server_port Matches a port number. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc.

      (network_event.server_port: 7777)

    • transport_protocol Matches either "TCP" or "UDP".

      (network_event.transport_protocol: UDP)

  • url

    • full_url Matches at least one URL in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

      For example, the query string character ? must be escaped (\?):

      (network_event.full_url: https://www.example.com/resource/path\?r=start&v=cK5G8fPmWeA)

    • normalized_url Matches at least one normalized URL (a URL without the query string) in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

      (network_event.normalized_url: https://www.example.com/resource/path/)

    • resource_path Matches at least one URL resource path in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

      (network_event.resource_path: /resource/path/)

  • detection

    • custom_ids_rule_id Matches an ID for an IDS rule. The numeric value must be an exact match.

      (network_event.custom_ids_rule_id: 987654321)

    • detector Matches the name/unique identifier of the module that detected the event. The string value must be an exact match.

      (network_event.detector: llrules:1532130206460)

    • event_outcome Matches either "DETECTION" or "INFO".

      (network_event.event_outcome: DETECTION)

    • event_type Matches one of "BINARYDOWNLOAD", "DNS", "DNSANOMALY", "DYNAMICIP", "HTTPANOMALY", "IDS", "IP", "LLANTARULE", "NETFLOW", "NETFLOWANOMALY", "NETWORK", "TLSANOMALY", or "URL".

       (network_event.event_type: IDS)

    • llanta_rule_uuid Matches the UUID of a system rule. The numeric value must be an exact match.

      (network_event.llanta_rule_uuid: b579caeec719415cb04f925f8f187cb0)

    • operation Matches one of "BLOCK", "INFO", "LOG", or "TEST".

      (network_event.operation: BLOCK)

    • threat Matches a valid string defining a threat. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

      (network_event.threat: Torn RAT)

    • threat_class Matches a threat class. The string value must be an exact match.

      (network_event.threat_class: Malicious File Execution)

  • file

    • av_class Matches at least one av_class analysis tag. The string value must be an exact match.

      (network_event.av_class: exploit)

    • file_category Matches one of the supported categories of files. The string value must be an exact match.

      (network_event.file_category: Java)

    • file_md5 Matches a valid MD5 sum.

      (network_event.file_md5: bb4f64ddfb8704d2bf69b0216be7f837)

    • file_sha1 Matches a valid SHA1 sum.

      (network_event.file_sha1: c3e266ede7f6fec7a021a4ae0edf248848d5ae06)

    • file_size Matches a file size in bytes. It must be a valid integer. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc.

      (network_event.file_size: > 1042249837)

    • file_type Matches a valid string defining a file type. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

      (network_event.file_type: ?xecutable)

    • malware Matches at least one av_family or lastline_malware analysis tag. The string value must be an exact match.

      (network_event.malware: emotet)

    • malware_activity Matches at least one activity analysis tag. The string value must be an exact match.

      (network_event.malware_activity: Execution: Spawning Powershell with too many parameters)

  • other

    • custom_tag Matches a user-defined tag assigned to events. See tag. The string value must be an exact match.

      (network_event.custom_tag: tagged_event)

Supported actions

  • demote Demotes the outcome of the matching event to a different mode.

    Supported targets: outcome.

    Allowed values: "INFO" or "TEST".

  • impact Set a lower or upper bound on the impact of an event.

    Supported targets:

    • impact Sets the lower and upper bound to the same value.

    • max_impact Sets the upper bound on impact. Less or equal to value.

    • min_impact Sets the lower bound on impact. Greater or equal to value.

    Allowed values: an integer from 1-100.

  • suppress Suppresses all threats on the matching event. This results in it being scored as a false positive with an impact of zero (0), which effectively deletes the event.

    Supported targets: network_event.

    Allowed values: none.

  • tag Assign a user-defined tag to the matching event.

    Supported targets: network_event.

    Allowed values: a valid string.