Rule Sets
One of the most important components of the Sycope system is alerting functionality. This functionality allows the user to flexibly build Alerts based on a number of conditions and rules that operate on the data streams collected by the system.
Sycope includes many predefined Alerts created by a team of cybersecurity experts. These rules can be used as a template from which you can create your own rules. You can also create rules on your own using the wizard.
This menu [Alerts>Rules Set] can be used to create a custom rule
based on the selected Streams and (optional) your own mathematical function. The system includes many of the most useful predefined rules
that you can use right after installing the system.
The list of Rules is in the table with the following columns:
- Rule name - unique Rule name
- Rule type
- Tactic
- Technique
- Score
- Created by
- Creation Time
- Modified By
- Modification Time
- Tags
- Active
- Action
- Edit - edit an existing Rule
- Duplicate - create an editable copy of the selected Rule
- Export - export Rule to json format
- Delete - delete
Adding custom rule
Alarm rules are created and edited in this menu [Alerts>Rule Set].
To add a new Alert rule, click on the New rule button, then the wizard will appear.
The rule configuration wizard consists of the following sections:
- General
- Stream
- Input Filter
- Values
- Categories
- Output filter
- Sorting
- Limit
- Schedule
- Thresholds
- Actions
- Privacy
General section
Active/Inactive switch - Activating or deactivating the current rule.
Rule Type - allows you to assign one of the three alarm types associated with the area you want to alarm.
Performance,
Security,
Visibility.
Name - rule name
Tags - [Configuration>Mapping>Tags]
Description - Description of the rule that can be entered by the user.
Score, Severity - alarm severity on a scale of 1- 10 where:
score 1-2 means “info”
score 3-4 means “low”
score 5-6 means “medium”
score 7-8 means “high”
Score 9-10 means “critical”
Stream section
Source - data stream used by the rule
Filter section
- Query - filter for the selected data stream
- Time range - the time range on which the rule will operate
Values section
Use Function switch
Aggr
Post aggr
Field
Metric - field or metric that will be displayed on the graph
Agreggation - list of operations to choose
Avi - returns average of field values.
Count - returns count of non empty fields.
First - returns value of first field returned.
Join - returns concatenated value of fields values.
Last - returns value of last field returned.
Max - returns maximal value.
Min - returns minimal value.
Sum - returns sum of values.
Categories
Agreggation - list of operations to choose
Avi - returns average of field values.
Count - returns count of non empty fields.
- First - returns value of first field returned.
- Join - returns concatenated value of fields values.
- Last - returns value of last field returned.
- Max - returns maximal value.
- Min - returns minimal value.
Sum - returns sum of values.
Use Function switch - allows the user to use his own function
Field - you can choose from a list: field, metrics, lookup, mapper
Output filter
- Query- you can create a filter for selected Metrics and Fields in the Values and Categories section.
Sorting
Here you can define how to sort the data displayed on the graph.
Sort field - sorted field
Sort direction - Asc/Desc - sorting method ascending/descending
Limit
You can specify the resolution and the direction in which the data will be presented.
Limit buckets switch - It is used to set the limit of values of which the chart will consist
Limit - limit value
Show from - field to specify the direction in which the data will be displayed on the chart
- Head
- Tail
Show others switch
Others label
Schedule
In this step you can specify how often the rule will be executed.
- Interval - Set number in units Min/Hours/Days/Weeks/Months/Years defining the time interval.
- Throttling in minutes
- Indexed fields
Thresholds
Value
- Minor - select an operator and a value
- Major - select an operator and a value
- Critical - select an operator and a value
First the Critical conditions are checked, if these conditions are not met then the Major conditions are checked, and if these conditions are not met then the Minor conditions are checked.
Actions
Type
- Index
- Index
- alerts
- Index
- Mail
- Send mail switch
- Recivers
- Template
- Syslog
- Syslog profile
- Third party system
- External system
- MACMON
- Instance name
- Action name
- External system
- Index
Threshold levels
- Critical
- Major
- Minor
Privacy
Privacy - assigning privileges
Private - accessible to the owner
Public - accessible to all.
- Public permissions
- Delete
- Edit
- Execute
- Public permissions
Shared - accessible to one or more selected roles. Available privileges are:
Delete
Edit
Execute
View