Rule Builder

Only administrators can take this action.

The Axon Rule Builder allows you to create your own custom rules within the Axon system. These rules can be catered to collect and process logs from any log source type to suit your needs.

Search results that are generated because a rule's criteria has been met are considered Observations.

Create a Rule

To create a new, customized rule in Axon using the Rule Builder tool, from the Rules page:

Click the Action menu in the upper-right corner and click Add Rule.
The Analytics Rule Builder screen appears.

Enter the following information on the Attributes tab. Fields marked with an asterisk (*) are required.

Field	Description
Rule Name *	Enter a unique name for the new rule.
Description	Enter an optional detailed description for the new rule.
Group By *	Open the drop-list and check each field you would like to use when filtering and summarizing the observation. For example, this observation uses three object fields for grouping: As a result, the information included in those three fields is shown in the observation window:
Common Event Assignment *	Open the drop-list and select a description to be assigned to any observations created as a result of this rule being enforced.
Threat Level	Open the drop-list and select a threat level to be assigned to any observations created as a result of this rule being enforced. This allows for users to search for observations by threat level.
Additional Metadata	Additional metadata fields can be associated with observations created as a result of this rule being enforced, which allows you to narrow observation searches even further. Click New Assignment to add another metadata field row. Click the X next to a row to remove it.
	Metadata Field	Open the drop-list and select a metadata field to associate with observations created as a result of this rule being enforced.
	Value	Enter the value to appear in the selected metadata field.
Enable Suppression	In certain cases, rules can fire multiple times in quick succession, creating a lot of extra "noise" in the form of observations and cases that contain duplicate information. By enabling suppression, you can start a "clock" that prevents a rule from firing and creating extra cases and observations multiple times within the configured timeframe.
	Timeframe	Select the amount of time during which this rule should be suppressed after it triggers in order to prevent multiple observations. By default, the timeframe is set to one hour. This means that if the configured rule triggers once, one hour must pass before the rule can trigger again.
	Group By (Optional)	The fields selected in the Group By drop-list above display here. Check each field to determine how this rule is suppressed. Observations triggered as a result of this rule will only be suppressed if the Group By fields match identically. The more options selected here, the less likely a rule is to be suppressed due to the increased criteria.
Create Case	Click the toggle to on to automatically create new Case Management cases when this rule is fired. For more information on creating cases this way, refer to the Automatically Create Cases with Rule Builder section of the Add a New Case page. To determine whether Axon creates a new case or updates an existing case when a rule that has case creation enabled fires, Axon considers the following: Are there any cases with an Open status that were created by the same rule firing? If yes, Axon evaluates the “group by” fields of the rule. If all of the “group by” fields match exactly, then the triggering logs are added to the existing open case. If the “group by” fields do not exactly match, then a new case is created and the triggering logs are added to that new case.

Click the Build tab.

Build the new rule using the following "rule blocks" on the left-hand side:

Block	Description
Log Observed	This rule block is satisfied when a single log matching the specified filter is observed by Axon.
Count Threshold Observed	This rule block is satisfied when a number of logs matching the specified filter are observed by Axon within a configured time range.
Count Unique Values Observed	This rule block is satisfied when the number of logs with different values in the configured metadata fields meets or exceeds a given threshold in a specified time range.

Rule blocks must be added in order and be connected with "Followed by" links.

To link rule blocks, enter a timeframe in the Link Relationship Settings field that specifies the timeframe during which the previous and next rule blocks must both be satisfied in order to trigger the rule.

For each rule block added to the rule builder, the following fields must be configured:

Rule Block	Field	Description
Log Observed	Filter Query	Using the syntax outlined in Build a Search Query, create the query to determine which logs match this rule block. For example, to create a rule block that finds logs that were successfully authenticated, use the following string: CODE `general_information.common_event CONTAINS "Authentication Success"`
Count Threshold Observed	Filter Query	Using the syntax outlined in Build a Search Query, create the query to determine which logs match this rule block. For example, to create a rule block that finds logs that were successfully authenticated, use the following string: CODE `general_information.common_event CONTAINS "Authentication Success"`
	Threshold	Enter the count or aggregate threshold that determines when the rule is satisfied. For example, if this rule should trigger when more than three logs meet the filter criteria, enter the following: CODE `> 3`
	Timeframe	Enter the amount of time during which the threshold must be met to trigger this rule.
Count Unique Values Observed	Filter Query	Using the syntax outlined in Build a Search Query, create the query to determine which logs match this rule block. For example, to create a rule block that finds logs that were successfully authenticated, use the following string: CODE `general_information.common_event CONTAINS "Authentication Success"`
	Unique Value Count Threshold	Enter the number of unique items that must be counted in the unique value field (below) to trigger the rule.
	Unique Value	Select the metadata field to be scanned for unique values. For example, if the Unique Value Count Threshold is set to 5, and the Unique Value is origin.account.name, if five unique origin account names are contained in the results of the Filter Query set above during the Timeframe set below, the rule will trigger.
	Timeframe	Enter the amount of time during which the threshold must be met to trigger this rule.

Click Save to create the rule in a disabled status, or click Save & Enable to create and enable the rule immediately.

Rules cannot be enabled if errors exist in the rule block configurations. Any configuration errors with rule blocks or links are highlighted in red.
At least one correctly configured rule block must exist for a rule to be saved.