Rule Builder
Only administrators can take this action.
The Axon Rule Builder allows you to create your own custom security detection rules within the Axon system. These rules can be catered to collect and process logs from any log source type to suit your needs.
Search results that are generated because a rule's criteria has been met are considered Observations.
Create a Rule
To create a new, customized rule in Axon using the Rule Builder tool, from the Rules page:
- Click the Action menu in the upper-right corner and click Add Rule.
The Analytics Rule Builder screen appears. Enter the following information on the Attributes tab. Fields marked with an asterisk (*) are required.
Field Description Rule Name * Enter a unique name for the new rule. Description Enter an optional detailed description for the new rule. Common Event Assignment * Open the drop-list and select a description to be assigned to any observations created as a result of this rule being enforced. Threat Level Open the drop-list and select a threat level to be assigned to any observations created as a result of this rule being enforced. This allows for users to search for observations by threat level.
Additional Metadata Additional metadata fields can be associated with observations created as a result of this rule being enforced, which allows you to narrow observation searches even further.
Click New Assignment to add another metadata field row. Click the X next to a row to remove it.
Metadata Field Open the drop-list and select a metadata field to associate with observations created as a result of this rule being enforced. Value Enter the value to appear in the selected metadata field. Enable Suppression In certain cases, rules can fire multiple times in quick succession, creating a lot of extra "noise" in the form of observations and cases that contain duplicate information.
By enabling suppression, you can start a "clock" that prevents a rule from firing and creating extra cases and observations multiple times within the configured timeframe.
Timeframe Select the amount of time during which this rule should be suppressed after it triggers in order to prevent multiple observations.
By default, the timeframe is set to one hour. This means that if the configured rule triggers once, one hour must pass before the rule can trigger again.
Group By (Optional) The fields selected in the Group By drop-list above display here.
Check each field to determine how this rule is suppressed. Observations triggered as a result of this rule will only be suppressed if the Group By fields match identically. The more options selected here, the less likely a rule is to be suppressed due to the increased criteria.
Create Case Click the toggle to on to automatically create new Case Management cases when this rule is fired.
For more information on creating cases this way, refer to the Automatically Create Cases with Rule Builder section of the Add a New Case page.
To determine whether Axon creates a new case or updates an existing case when a rule that has case creation enabled fires, Axon considers the following:
Are there any cases with an Open status that were created by the same rule firing?
If yes, Axon evaluates the “group by” fields of the rule.
If all of the “group by” fields match exactly, then the triggering logs are added to the existing open case.
If the “group by” fields do not exactly match, then a new case is created and the triggering logs are added to that new case.
- Click the Build tab.
Build the new rule using the following "rule blocks" on the left-hand side:
Block Description Log Observed This rule block is satisfied when a single log matching the specified filter is observed by Axon. Count Threshold Observed This rule block is satisfied when a number of logs matching the specified filter are observed by Axon within a configured time range. Count Unique Values Observed This rule block is satisfied when the number of logs with different values in the configured metadata fields meets or exceeds a given threshold in a specified time range. Rule blocks must be added in order and be connected with "Followed by" links.
For more information on configuring the links between rule blocks, refer to step 6.
For each rule block added to the rule builder, the following fields must be configured:
Rule Block Field Description Log Observed Filter Query Using the syntax outlined in Build a Search Query, create the query to determine which logs match this rule block.
For example, to create a rule block that finds logs that were successfully authenticated, use the following string:
CODEgeneral_information.common_event CONTAINS "Authentication Success"
Group By Open the drop-list and check each field you would like to use when filtering and summarizing the observation.
For example, this observation uses three object fields for grouping:
As a result, the information included in those three fields is shown in the observation window:
Count Threshold Observed Filter Query Using the syntax outlined in Build a Search Query, create the query to determine which logs match this rule block.
For example, to create a rule block that finds logs that were successfully authenticated, use the following string:
CODEgeneral_information.common_event CONTAINS "Authentication Success"
Count Threshold Enter the count or aggregate threshold that determines when the rule is satisfied.
For example, if this rule should trigger when more than three logs meet the filter criteria, enter 3.
Timeframe Enter the amount of time during which the threshold must be met to trigger this rule. Group By Open the drop-list and check each field you would like to use when filtering and summarizing the observation.
For example, this observation uses three object fields for grouping:
As a result, the information included in those three fields is shown in the observation window:
Count Unique Values Observed Filter Query Using the syntax outlined in Build a Search Query, create the query to determine which logs match this rule block.
For example, to create a rule block that finds logs that were successfully authenticated, use the following string:
CODEgeneral_information.common_event CONTAINS "Authentication Success"
Unique Value Count Threshold Enter the number of unique items that must be counted in the unique value field (below) to trigger the rule. Unique Value Select the metadata field to be scanned for unique values.
For example, if the Unique Value Count Threshold is set to 5, and the Unique Value is origin.account.name, if five unique origin account names are contained in the results of the Filter Query set above during the Timeframe set below, the rule will trigger.
Timeframe Enter the amount of time during which the threshold must be met to trigger this rule. Group By Open the drop-list and check each field you would like to use when filtering and summarizing the observation.
For example, this observation uses three object fields for grouping:
As a result, the information included in those three fields is shown in the observation window:
- (Optional.) If your rule has more than one rule block, you need to configure the link between each of the blocks. The link block initially appears yellow with a "Configuration Needed" message.
Click the link block to open the Configure Link flyout, and configure the following options:
Option | Description | |
---|---|---|
Link Type | Select one of the following options to determine the link between the two rule blocks. | |
Follow By | Axon looks to the next rule block's conditions after the previous rule block's conditions have been satisfied. | |
Timeframe | Configure the timeframe during which the conditions in the two connected blocks need to be satisfied, first by entering a number and then selecting an option (seconds, minutes, hours) from the drop-down. | |
Mapping Relationships (Optional) | Click the + Group By Mapping button to configure the way the "group by" values selected for each rule block are mapped. |
7. Click Save to create the rule in a disabled status, or click Save & Enable to create and enable the rule immediately.
Rules cannot be enabled if errors exist in the rule block configurations. Any configuration errors with rule blocks or links are highlighted in red.
At least one correctly configured rule block must exist for a rule to be saved.