You must be logged in as an Administrator to take this action.
Administrators can create custom sub-rules to classify logs according to specific criteria. To make the process easier, LogRhythm allows you to clone an existing sub-rule, and then add custom filter criteria.
Refer to the topic Tag1-Tag5 for information on including generic tags in your custom subrules. These generic tags (<tag1> through <tag5>) are required to create sub-rules for fields in the LogRhythm Schema Dictionary that are marked with [7.2] in LogRhythm versions between 7.2 and 7.22. Beginning with LogRhythm SIEM version 7.23.0, the use of expansion fields in sub-rules is now supported.
-
Run an Investigation.
-
Click the Log Viewer tab.
-
Select a sample of relevant logs.
-
Right-click the selected logs and select Copy Selected Logs to Rule Builder and Load Rule.
The sub-rule that is currently classifying the logs is selected in the Sub-Rules tab in the bottom pane. -
Right-click the selected sub-rule, and then click Clone.
The Sub-Rule Properties window for the new sub-rule opens. -
To make a separate rule, type a new Rule Name.
-
In the Common Event field, select the Common Event you want.
-
In the Rule Status field, select Production or Test.This step is necessary to enable the sub-rule in the MPE Policy.
-
In the Mapping Tags section, select the mapping you want.
-
Click OK.
-
On the main toolbar, click Deployment Manager.
-
Click the Log Processing Policies tab.
-
Double-click the relevant Log Source Type.
The MPE Policy Editor window appears. The custom sub-rules appear at the top of the list. -
Check the box next to the new custom sub-rule.
-
Right-click the sub-rule and select Properties.
The MPE Policy Rule Editor opens. -
Check the Enabled box.
Logs meeting the qualifications of the sub-rule will now be classified according to the Common Event. -
Click OK.