This page uses adding filters to both AI Engine Rules and Alarm Rules as examples. The names of windows and setting options vary slightly depending on where you are creating or modifying a filter.

The Settings tab allows you to configure common event properties, alarm properties, and general properties for the AI Engine Rule or Alarm Rule. It also enables you to set a suppression period for alarms. During the suppression period, additional logs or events that match the exact criteria of the suppressed alarm do create new events or alarms. Suppression looks at all the Group By fields in an AI Engine rule. All fields must match for the suppression to work. For example, if you have a rule configured to detect three failed logins from a single source to a single destination, after the first alarm, any matching logs with that source and destination combo are ignored. However, if that source fails three logins to a different destination, the alarm fires again and the suppression period for that combination begins.

The following table describes the settings you can configure on the Settings tab of the AI Engine Wizard.

Settings Tab FieldDescription
New Event Settings
Common Event NameAI Engine Common Events always start with "AIE." Maximum additional characters = 45.
Sync with rule nameSelect to synchronize the Common Event name with the rule name, up to 45 characters.
ClassificationCommon Event classification. Click the selector for an option list.
Risk RatingSelect from 0 to 9 on the list. For more information, see Global Risk Based Priority.
Event Suppression

Select the Enable Suppression check box to limit the number of events created by a rule so only the first occurrence of a qualifying event is created during the Suppression Period.

If you select the Enable Suppression check box, the Suppression Multiple field is enabled. The value you enter here is used in the formula:

Suppression Multiple * Suppression Interval = Suppression Period

The Suppression Interval value reflects the rule definition and the time limits set on the Thresholds and Unique Values tabs and in the AI Engine Rule Block Relationship.

When you tab off the Suppression Multiple field, the Suppression Period is recalculated.

AIE Event ForwardingSelect to forward the AI Engine Event to the Platform Manager
New Alarm Settings
Alarm on event occurrence

Select to create an alarm when this event occurs and to enable the alarm status.

This box must be selected for notifications and SmartResponse actions to work.

Automatically drill down and cache results

If Alarm on event occurrence is selected, you can automatically drill down and cache results for this rule.

If the AIE Drill Down Cache is disabled in the LogRhythm Configuration Manager, automatic drilldown does not work, even if this check box is selected. For more information, see the LogRhythm Software Installation Guide.

Notification SettingsSelect the number of decimal places from 0 to 10 to print for quantitative values.
Rule Settings
False Positive Probability (FPP)

The False Positive Probability is used in Risk-Based Priority (RBP) calculation for AI Engine Rules. It estimates how likely the rule is to generate a false positive response. A value of low indicates the pattern the rule matches is almost always a true positive. However, a value of high indicates the pattern the rule matches is very likely to be a false positive.

Options range from 0 to 9 with:
0 indicating the pattern the rule matched is almost always a true positive to
9 indicating the pattern the rule matched is very likely to be a false positive

The default = 5 - Medium-Medium.

Environmental Dependence Factor (EDF)

The Environmental Dependence Factor is used in Risk-Based Priority (RBP) Calculation for AI Engine Rules. It determines how much additional configuration is required for the rule to function as expected within different network environments.

The options are:

  • None. Default, no additional configuration required.
  • Low. Minimum additional configuration required.
  • Medium. Additional configuration required.
  • High. Significant additional configuration required
Expiration DateSelect No expiration or Expires on with the appropriate date. After the expiration date passes, the rule is not processed but does appear in the grid with Rule Status = Expired.
Rule Set

Rule sets are used to divide rules among multiple AI Engine Servers. Minimum = 0, maximum = 100. 0 Appears as None in the Rule Manager grid.

Runtime Priority

Under heavy load, the AI Engine Server may need to suspend the lowest priority rules first.
Values = Low, Normal, or High.

If the AI Engine begins to run out of memory or fall behind, it automatically suspends rules starting with the lowest runtime priority.

Data Segregation

Segregate the rule processing and Event at runtime by the specified entity grouping.

  • None.
  • Log Source Entity. Segregates within the specific Entity of every log.
  • Log Source Root Entity Segregates within the Root Entity of every log.

Data Segregation enables a single logical rule definition to be automatically applied at the Entity or Root Entity level to distinct groups of Log Sources within a deployment. Each Event is then guaranteed to only have considered Logs within the scope of the chosen Entity grouping.
Data segregation by entity also ensures that alarm notification emails sent by the Notification Service are only sent to recipients who have access to that entity. For the Notification Service to work, the AIE Drill Down Cache must be enabled in the LogRhythm Configuration Manager. Both the AIE Drill Down Cache API and the Notification Service settings can be modified in the Configuration Manager. For more information, see the information on the LogRhythm Configuration Manager in the LogRhythm Software Installation Guide.

The following table describes the settings you can configure on the Settings tab of the Alarm Wizard.

Settings Tab FieldDescription
Alarm Suppression
Suppress Identical Alarms forEnter the time span you want.
Notification Settings
Use custom alarm rule name in email notification

Select to enter a custom subject name. The custom subject line can be up to 100 characters long.

If you want to change the prefix of the subject of the email, you need to update the Email Notification Policy. For more details, see Create New Email Alarm Notification Policies.

Append the grouped event field values to the title of the alarm notificationSelect to append the selected Group By values to the end of the Notification Subject Line. For example: LogRhythm Alarm - Brute Force Password Attack - oHost=10.1.1.18 oLogin=fred.smith.
Specific the number of decimal places to print for quantitative valuesSelect a value from 0 to 10
Data Segregation
Segregate event data by Entity when processed by the rule and output as an Alarm

Select one of the following:

  • None.
  • Log Source Entity. Segregates within the specific Entity of every log.
  • Log Source Root Entity Segregates within the Root Entity of every log.

Data Segregation enables a single logical rule definition to be automatically applied at the Entity or Root Entity level to distinct groups of Log Sources within a deployment. Each Event is then guaranteed to only have considered Logs within the scope of the chosen Entity grouping.
Data segregation by entity also ensures that alarm notification emails sent by the Notification Service are only sent to recipients who have access to that entity. For the Notification Service to work, the AIE Drill Down Cache must be enabled in the LogRhythm Configuration Manager and TLS 1.2 must be enabled. For more information, see the LogRhythm Software Installation Guide.