Creating a Behavior Rule

Event Buckets

The easiest way to begin bucket creation is through the Events page. We're going to exemplify this by creating a gsuites bucket. To start, check the gsuites box under EventType. The EventType is populated by the @fields.eventtype field.

Once the new results have loaded, scroll down to view the table.

Clicking the expand chevron will open up the parsed table view. This displays the fields and their associated values in a table format. We also want to add to the facet that event.name must be login_success. This event has that value, so click the eye button on the right to add this checked value to the facet.

When an event is expanded into Parsed Table format, hovering over a row displays four buttons.

We want events with successful logins, so hover over the event.name field and select the open eye. This will add the field to the list with this value specified for the search (checked).

The rightmost button is the histogram button. Clicking it will redirect you to an event bucket creation page that is populated with a count aggregation using the highlighted row's field as its group by field.

The behavior tab allows you to configure timeline alerts and case alerts. These alerts will appear on their respective display pages based on the options that are selected. To begin, give the alert a name that will appear on each alert that triggers this rule. We'll call this one GSuitesLogin.

Next, select a behavior type for the alert. There are four options: network access, account login, application activity, and security alert. In this case, the behavior is "account login."

Then, select a key for the behavior. This key will be displayed at the top of each case on the behavior summary page.

Scroll down to add attributes to the case. Click the "+ ADD ATTRIBUTE" button to open the addition window. If you created this bucket from the events page, the available fields are limited to only the fields associated with the event type. Once you have chosen a field you want, select it from the dropdown and give it an alias. Click "SAVE" to add it to the list of attributes. These attributes are displayed on the behavior timeline page.

The last option is to add correlation rules. There are two options for rule types: first occurrence and metric aggregation. First occurrence rules allow the user to define a specific hit for the first occurrence of an activity related to the match (match all or query as specified previously). Metric aggregation rules allow a user to specify a risk based upon an aggregation (such as a sum) or specified fields.

First Occurrence

First, give the rule a name. Then, specify each field that should cause the rule to be unique, including the key specified earlier.

Next, set the window size and unit. This window will also determine the length of the learning period before hits begin showing up for this rule.

Lastly, as above in the Behavior section, specify Risks that are associated specifically with this rule. These will show under the Correlation Hits of each behavior in the timeline when triggered.

Metric Aggregation

First, give the rule a name and description. Then, specify the type of aggregation to trigger the rule, such as a count of events, the sum of a field, or cardinality (unique values in a field).

In the Fields section, select one of the fields previously selected in the Attributes section of the Behavior.

Next, specify an appropriate window for when this aggregation should occur during the stream. It is best to not specify less than 5 or 10 minutes.

The Operator/Operand field is where is where we want to specify the result of the aggregation function.

Lastly, as above in the Behavior section, specify Risks that are associated specifically with this rule. These will show under the Correlation Hits of each behavior in the timeline when triggered.