๐Rule Configuration
Last updated
Last updated
For rule configurations, there are two tabs - 'Default Rules' and 'Custom Rules'.
TEIREN SIEM provides over a hundred default rules. These rules have been carefully curated through extensive analysis of numerous cloud-based attack simulations. As such, our default rules encompass a wider range of potential threats compared to other SIEMs.
You can use On/Off the policy as needed.
Users also have the flexibility to create their own rules. Both static and dynamic rules can be customized to cater to the unique security needs of the user.
TEIREN SIEM offers two types of rules for enhanced threat detection - Static Rules and Dynamic Rules.
These are single detection rules that users can configure to detect specific actions in the logs based on defined properties and actions. They are straightforward and designed to target specific, singular events.
These are more complex and versatile. Dynamic rules are designed to detect a series of actions or a flow of events, which can be challenging to identify with single detection rules. For example, users can create a rule to detect a scenario wherein an anonymous user creates a cloud server, establishes a policy in the cloud server, copies information from another server, and gains access to confidential data, among other actions.
Rule Configuration feature aims to provide a comprehensive and adaptable system for threat detection, offering a balance between ready-to-use rules and the flexibility to create custom rules.
To customize a new rule, follow the steps below:
Rule Name: Enter a unique name for your rule. This will be used to identify the rule in the system.
Rule Comment: Provide a description or explanation for the rule. This helps clarify the purpose and function of the rule.
Rule Severity: Select the severity level for the rule. There are four levels to choose from: Critical, High, Mid, and Low. While default rules come with pre-assigned severity levels, you will need to specify this for custom rules.
Rule Property: Identify the log properties that the rule should detect. This allows the rule to focus on specific aspects of the log data.
Rule Value: Specify the value for the chosen property. You can select from three options:
Property Operators: If multiple properties are added, specify the relationship between them by choosing 'AND' or 'OR'. This allows for more precise detection.
Detection Count and Time Range: Optionally, you can specify a 'detection count' and a 'detection time range'. This means you can set the rule to detect when a specific action has occurred a certain number of times within a defined time range.
Dynamic rules offer a more advanced level of customization for detecting complex patterns or sequences of events. Here's how you can customize dynamic rules:
Rule Name: Enter a unique name for your rule. This will be used to identify the rule in the system.
Rule Comment: Provide a description or explanation for the rule. This helps clarify the purpose and function of the rule. 3.Rule Severity: Select the severity level for the rule. There are four levels to choose from: Critical, High, Mid, and Low. While default rules come with pre-assigned severity levels, you will need to specify this for custom rules.
Detection Time Range: Unlike static rules, dynamic rules require you to specify a 'detection time range'. This represents the timeframe within which the sequence of events or 'flow' you want to detect occurs. The 'detection count' will vary for each flow detection within this time range.
Flow Detection: Each dynamic rule consists of one or more 'flow detections'. A flow detection is similar to a static rule and represents a single event in the sequence. For each flow detection, you need to provide a unique name and description. Additionally, you should specify one or more property/value pairs of the log data that the flow detection should identify.
Creating Dynamic Rules: Once you have defined two or more flow detections, you can combine them to create a dynamic rule. This allows the system to detect a sequence of events across different log data.
Configuring Dynamic Detection: After setting up the necessary flow detections, the next step is to configure the dynamic detection. This involves providing more specific details about which logs to detect, thus refining the rule's focus.
Remember, dynamic rules are a powerful tool for identifying complex patterns and threats. However, they also require a deep understanding of the system's log data and potential threats. Always test new dynamic rules to ensure they are working as expected and adjust them as needed.
| Option | Description |
|---|---|
=
The rule will detect logs where the property's value is equal to the rule value.
<>
The rule will detect logs where the property's value is not equal to the rule value.
Contains
The rule will detect logs where the property's value contains the rule value.
