Network analysis rule sidebar

The network analysis rule sidebar allows you to create, copy, edit, or view a network analysis rule.

Click the cancel/close to close the sidebar. A confirmation pop-up is displayed if you have any unsaved changes.

Create a rule

To create a rule, fill in the following:

Rule name

Enter a name for the rule. The rule name must be unique. This field is required.

Rule description

Optionally, provide a description of the rule.

Impact

Select the impact level from the pull-down menu that is assigned to alerts this rule triggers. The default is 20.

Attack stage

Optionally, select an attack stage from the pull-down menu (see About attack stages for further information). The attack stage is assigned to alerts this rule triggers.

Rule parameters

By default, you add the rule using the Basic mode:

  1. From the Select rule pull-down menu, select one of the predefined rules.

  2. In the Set rule parameters section, provide the requested values. These values change depending on which predefined rule you selected. Prompts indicating the value and ranges expected are displayed.

The Rule expression block shows the actual rule syntax. The values are updated as you change the parameters.

You can enter also the rule parameters directly by clicking the link to enter Advanced mode. To assist you, there is a link to the Network analysis rule syntax help page.

When you are done, click Save Rule.

Predefined rules

The following rules are defined for the network analysis rule sidebar:

Communicate with country

Defines a list of source IP addresses, then a list of ISO country codes, and creates a custom alert when the conditions match. You provide the IP addresses and the country codes when you fill in the parameters of this rule. The IP address field accepts a comma-separated list of IP addresses or CIDR ranges (1.2.3.4/32). The country code field accepts a comma-separated list of 2-letter ISO 3166 country codes.

This example shows the resulting rule syntax:

(netflow.src_ip:1.2.3.4 OR netflow.src_ip:2.3.4.5 ...) AND (netflow.geoip_dst:CN OR netflow.geoip_dst:RU)
Source IP to destination IP

Defines a list of source IP addresses, then a list of destination IP addresses, and creates a custom alert when the conditions match. You provide the IP addresses when you fill in the parameters of this rule. The IP address field accepts a comma-separated list of IP addresses or CIDR ranges (1.2.3.4/32).

This example shows the resulting rule syntax:

(netflow.src_ip:1.2.3.4 OR netflow.src_ip:2.3.4.5 ...) AND (netflow.dst_ip:1.2.3.4 OR netflow.dst_ip:2.3.4.5 ...)

Modify a rule

The sidebar is prepopulated with the values of the rule. These parameters are the same as above (Create a rule). Modify the parameters.

Note that the Rule name is read-only.

When you are done, click Save Rule.

Copy a rule

The copy function is similar to editing a network analysis rule, above (Modify a rule), except you must provide a new, unique Rule name. You can then modify its other parameters.

When you are done, click Save Rule.

View a rule

The sidebar displays in read-only mode, allowing you to view all the parameters of the selected network analysis rule.

Click the edit icon to edit the rule.

Click the clone (duplicate) icon to copy the rule.

Click the delete icon to delete the rule. A confirmation pop-up is displayed. Click Delete to delete the rule and close the pop-up.

Click the cancel/close to close the sidebar.