Filters—Settings
The Settings tab allows you to configure common event properties, alarm properties, and general properties for the AI Engine Rule or Alarm Rule. It also enables you to set a suppression period for alarms. During the suppression period, additional logs or events that match the exact criteria of the suppressed alarm do create new events or alarms. Suppression looks at all the Group By fields in an AI Engine rule. All fields must match for the suppression to work. For example, if you have a rule configured to detect three failed logins from a single source to a single destination, after the first alarm, any matching logs with that source and destination combo are ignored. However, if that source fails three logins to a different destination, the alarm fires again and the suppression period for that combination begins.
The following table describes the settings you can configure on the Settings tab of the AI Engine Wizard.
| Settings Tab Field | Description |
|---|---|
| New Event Settings | |
| Common Event Name | AI Engine Common Events always start with "AIE." Maximum additional characters = 45. |
| Sync with rule name | Select to synchronize the Common Event name with the rule name, up to 45 characters. |
| Classification | Common Event classification. Click the selector for an option list. |
| Risk Rating | Select from 0 to 9 on the list. For more information, see Global Risk Based Priority. |
| Event Suppression | Select the Enable Suppression check box to limit the number of events created by a rule so only the first occurrence of a qualifying event is created during the Suppression Period. If you select the Enable Suppression check box, the Suppression Multiple field is enabled. The value you enter here is used in the formula: Suppression Multiple * Suppression Interval = Suppression Period The Suppression Interval value reflects the rule definition and the time limits set on the Thresholds and Unique Values tabs and in the AI Engine Rule Block Relationship. When you tab off the Suppression Multiple field, the Suppression Period is recalculated. |
| AIE Event Forwarding | Select to forward the AI Engine Event to the Platform Manager |
| New Alarm Settings | |
| Alarm on event occurrence | Select to create an alarm when this event occurs and to enable the alarm status. This box must be selected for notifications and SmartResponse actions to work. |
| Automatically drill down and cache results | If Alarm on event occurrence is selected, you can automatically drill down and cache results for this rule. If the AIE Drill Down Cache is disabled in the LogRhythm Configuration Manager, automatic drilldown does not work, even if this check box is selected. For more information, see the LogRhythm Software Installation Guide. |
| Notification Settings | Select the number of decimal places from 0 to 10 to print for quantitative values. |
| Rule Settings | |
| False Positive Probability (FPP) | The False Positive Probability is used in Risk-Based Priority (RBP) calculation for AI Engine Rules. It estimates how likely the rule is to generate a false positive response. A value of low indicates the pattern the rule matches is almost always a true positive. However, a value of high indicates the pattern the rule matches is very likely to be a false positive. Options range from 0 to 9 with: The default = 5 - Medium-Medium. |
| Environmental Dependence Factor (EDF) | The Environmental Dependence Factor is used in Risk-Based Priority (RBP) Calculation for AI Engine Rules. It determines how much additional configuration is required for the rule to function as expected within different network environments. The options are:
|
| Expiration Date | Select No expiration or Expires on with the appropriate date. After the expiration date passes, the rule is not processed but does appear in the grid with Rule Status = Expired. |
| Rule Set | Rule sets are used to divide rules among multiple AI Engine Servers. Minimum = 0, maximum = 100. 0 Appears as None in the Rule Manager grid. |
| Runtime Priority | Under heavy load, the AI Engine Server may need to suspend the lowest priority rules first. If the AI Engine begins to run out of memory or fall behind, it automatically suspends rules starting with the lowest runtime priority. |
| Data Segregation | Segregate the rule processing and Event at runtime by the specified entity grouping.
Data Segregation enables a single logical rule definition to be automatically applied at the Entity or Root Entity level to distinct groups of Log Sources within a deployment. Each Event is then guaranteed to only have considered Logs within the scope of the chosen Entity grouping. |
The following table describes the settings you can configure on the Settings tab of the Alarm Wizard.
| Settings Tab Field | Description |
|---|---|
| Alarm Suppression | |
| Suppress Identical Alarms for | Enter the time span you want. |
| Notification Settings | |
| Use custom alarm rule name in email notification | Select to enter a custom subject name. The custom subject line can be up to 100 characters long. If you want to change the prefix of the subject of the email, you need to update the Email Notification Policy. For more details, see Create New Email Alarm Notification Policies. |
| Append the grouped event field values to the title of the alarm notification | Select to append the selected Group By values to the end of the Notification Subject Line. For example: LogRhythm Alarm - Brute Force Password Attack - oHost=10.1.1.18 oLogin=fred.smith. |
| Specific the number of decimal places to print for quantitative values | Select a value from 0 to 10 |
| Data Segregation | |
| Segregate event data by Entity when processed by the rule and output as an Alarm | Select one of the following:
Data Segregation enables a single logical rule definition to be automatically applied at the Entity or Root Entity level to distinct groups of Log Sources within a deployment. Each Event is then guaranteed to only have considered Logs within the scope of the chosen Entity grouping. |