The list of deployed rules appear.
For more information on the default rules, Appendix B Enterprise Template.
The Rules window provides the following information for each rule:
The Rules interface toolbar provides the following functions:
Table 12-1 Rules Window Parameters Parameter Description
Rule Name Specifies the name of the rule.
Group Specifies the group to which this rule is assigned. For more information about groups, see Grouping Rules.
Rule Category Specifies the rule category for the rule. Options are:
• Custom Rule
• Anomaly Detection Rule
Rule Type Specifies the rule type. Custom rule types include:
• Event
• Flow
• Common
• Offense
Anomaly detection rule types include:
• Anomaly
• Threshold
• Behavioral
Enabled Specifies whether the rule is enabled or disabled. For more information on enabling and disabling rules, see
Enabling/Disabling Rules
Response Specifies the rule response, if any. For more information about rule responses, see Table 12-3.
Event /Flow Count Specifies the number of events or flows associated with this rule.
Offense Count Specifies the number of offenses generated by this rule.
Origin Specifies whether this rule is a default rule (System) or a custom rule (User).
Creation Date Specifies the date and time this rule was created.
Modification Date Specifies the date and time this rule was modified.
Table 12-2 Rules Interface Toolbar
Button Function
Display Using the drop-down list box, select whether you want to display rules or building blocks in the rules list.
Group Using the drop-down list box, select which rule group you want to display in the rules list.
Allows you to manage rule groups. For more information on grouping rules, see Grouping Rules.
Step 4 Select the rule you want to view.
If you selected a rule that specifies Custom Rule as the rule category, the Custom Rules Wizard appears. If you selected a rule that specifies Anomaly Detection Rule as the rule category, the Anomaly Detection Wizard appears. In the Rule and Notes fields, descriptive information appears.
Allows you to perform the following actions:
• New Event Rule - Allows you to create a new event rule.
See Creating a Custom Rule.
• New Flow Rule - Allows you to create a new flow rule.
See Creating a Custom Rule.
• New Common Rule - Allows you to create a new common rule. See Creating a Custom Rule.
• New Offense Rule - Allows you to create a new offense rule. See Creating a Custom Rule.
• Enable/Disable - Allows you to enable or disable selected rules. See Enabling/Disabling Rules.
• Duplicate - Allows you to copy a selected rule. See Copying a Rule.
• Edit - Allows you to edit a selected rule. See Editing a Rule.
• Delete - Allows you to delete a selected rule. See Deleting a Rule.
• Assign Groups - Allows you to assign selected rules to rule groups. See Assigning an Item to a Group. Revert Rule Allows you to revert a modified system rule to the default
value. Once you click Revert Rule, a confirmation window appears. When you revert a rule, any previous modifications are permanently removed.
Note: If you want to maintain a version of your modified rule, we recommend you use the Duplicate function. Duplicate the rule, and then use the Revert Rule function on the modified rule.
Table 12-2 Rules Interface Toolbar (continued)
Button Function
Creating a Custom
Rule Custom rules include the following rule types:
• Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you want to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule.
It is common for event rules to create offenses as a response.
• Flow Rule - A flow rule performs tests on flows as they are processed in real-time by the QFlow Collector. You can create a flow rule to detect a single flow (within certain properties) or flow sequences. It is common for flow rules to create offenses as a response.
• Common Rule - A common rule performs tests on fields that are common to both event and flow records. For example, you can create a common rule to detect events and flows that have a specific source IP address. It is common for common rules to create offenses as a response.
• Offense Rule - An offense rule processes offenses only when changes are made to the offense, such as, when new events are added or the system scheduled the offense for reassessment. It is common for offense rules to email a notification as a response.
To create a new rule:
Step 1 Select the Offenses tab.
The Offenses interface window appears.
Step 2 In the navigation menu, click Rules.
The rules window appears.
Step 3 On the rules window toolbar, choose one of the following options:
a Using the Actions drop-down list box, select New Event Rule to configure a rule for events.
b Using the Actions drop-down list box, click New Flow Rule to configure a rule for flows.
c Using the Actions drop-down list box, click New Common Rule to configure a rule for events and flows.
d Using the Actions drop-down list box, click New Offense Rule to configure a rule for offenses.
The Custom Rule wizard appears.
Note: If you do not want to view the Welcome to the Custom Rules Wizard window again, select the Skip this page when running the rules wizard check box.
Step 4 Read the introductory text. Click Next.
The Choose which type of rule you wish to apply window appears. The default is the rule type you selected in the Offenses interface.