Creating Rules

This guide will show you how to create Rules in the Secure60 platform

Overview

The ability to create custom Rules is a powerful feature allows you to tailor existing rules and create new Rules to meet any scenario. In this guide we will provide Rule examples to help demonstrte a number of approaches. As always if you have any additional questions, don’t hesitate to contact Secure60 Support.

Create an Entity based Rule

This Rule looks at Entity data to decide whether to create a Threat based on that data. It leverages a number of custom features to improve the operation of the detection.

We view the whole rule here:

{
  "conditions": [
    {
      "query": "_entity_name = 'user_name'",
      "data_type": "entities_detail",
      "query_group_by_fields": "_entity_name,_entity_value",
      "query_criteria": "_score >= '100'",
      "trigger": "1",
      "from_relative": "24-h"
    }
  ],
  "actions": [
    {
      "action_type": "create_threat",
      "_category": "user-analytics-threat",
      "_name": "User Analytics - Threat Detected",
      "_description": "User behavioural analytics has detected that a user has exceeded the anomoly score threshold.",
      "_recommendation": "Recommendation is to review the user entity in question, Examine each behaviour that has lead to this score (tune the scoring policy if score too high). Precaution may be to disable the user while the processes is underway. ",
      "_score": "60",
      "_entity_name": "user_name",
      "check_existing_by_entity": "Y"
    }
  ]
}

Notes for key rule components:

Conditions:

• "data_type": "entities_detail" We look at the entity information summarise in a table (not timeline) format
• "query_group_by_fields": "_entity_name,_entity_value" This request groups the data returned by the fields _entity_name and _entity_value. This summarises the data returned by these fields.
  • For example this provides a total Count and Score metric for identical entity name and value combinations. It doesnt break the data up by Category (This would be achieved by adding _category as a group by field)
• "query_criteria": "_score >= '100'" Only trigger an Action when the total Score (_score) is greater than 100. This is applied to the total result after the query_group_by_fields has been applied.
• "from_relative": "24-h" Look back 24hrs, rather than the frequency of the Rule. This allows for analysis of an Entity over a long time period to detect issues

Actions:

• "check_existing_by_entity": "Y" This flag will perform a check before creating a Threat. It will check to see if there is an existing Threat with state=OPEN before creating a new one. If an existing one is present it will skip creating a new Threat.

Next steps

Congratulations, You now have created a range of Secure60 Rules

For any further questions make sure to reach out to support@secure60.io, We have a team ready to assist with any futher questions