Converting an Historical Search to a Rule
Example
Procedure
Example
While using historical search, you may observe a pattern that you want to use as a rule so if the pattern recurs, it will trigger an alert. For example, in an historical search you may notice excessive traffic going outside your country or the countries you do business with. You can generate a rule to watch for this traffic pattern from within the historical search.
These screenshots show the conditions and results for the example of an historical search for excessive outgoing traffic.
Following this example, you may now want to create a rule that will send you an alert when a particular source sends more than 1000 connections, or more that 5MB of traffic, in five minutes.
Procedure
- In the historical search that you want to use as the basis for your rule, click Create Rule.
The Rule Editor will load, with most information for the rule auto-populated from the search. You can also read the topics under Rules for more information about creating rules.
- Enter a Rule Name and Description.
- Set the Severity to associate with incidents generated by this rule.
- Set the Incident Category to associate with incidents generated by this rule.
- Set the number of seconds for the Time Window that this rule should apply to.
In the example of excessive outgoing traffic over a five minute period, this would be set to 300.
- Under the Conditions, click the Edit icon for Filter_1.
You will see that all your filter conditions for the search have been populated into this sub pattern.
- You can now edit the Filter and Aggregate conditions for your original search, or change the Group By conditions.
- Click Save when you’re done editing the rule.
This screenshot show editing the rule sub pattern Filter_1 from the original rule conditions, with the Aggregate Conditions for COUNT(Matched Events) and SUM(Total Bytes) to 1000 and 5242880 to match the new alert conditions from the example historical search, and the AND operato r changed to OR.