Skip to main content

Creating Security Rules

Security rules define events and their execution conditions and can contain one or more queries. Logz.io offers a set of updated preconfigured rules. You can refine them by editing thresholds and triggers, duplicate them for full editing access, or create new rules.

Manually create a new rule

You can create your own custom rules. To get started, navigate to SIEM > Rules and select New rule.

New rules

Name the rule

Give your rule a meaningful name. When your rule triggers, its name is used as the email subject or notification heading.

note

Your rule name can contain letters, numbers, spaces, and special characters. It can't contain emojis or any other elements.

Set search components

Next, set the search components. This determines which logs to look for and in which accounts.

You can use any combination of filters and a search query. Note the following:

  • Use a Lucene search query.

    • You have the option to use wildcards.
    • OpenSearch Dashboards Query Language (DQL) is not supported.

  • All filters are accepted, including: is, is not, is one of, is not one of, exists, does not exist.

After refining your search query and filters, click Preview to open OpenSearch Dashboards in another tab and review the returned logs to ensure you get the expected results.

note

To perform date range filtering on the @timestamp field, include the field as part of a query rather than adding it as a filter: @timestamp filters are overwritten.

Rule search

Using Group-by (order matters!)

Important

Rules won't trigger if the field added to the Group-by doesn't exist in the logs. The logs must include both the field you have in group-by and the field you use in your query/filter to trigger the rule.

You can apply group by operators to up to 3 fields. If you use this option, the rule will return the aggregated results.

The order in which you add group-by fields matters. Results are grouped in the order in which the group-by fields are added. (The fields are shown from first to last from left-to-right.)

For example, the following will group results by continent, then country, then city:

Order by group

If we reverse the order (city, country, continent), it will likely generate unintended results.

Select relevant accounts

Next, select the Accounts to search.

  • If you select All accounts, the rule will query the logs in all the accounts to which it has access. It will automatically include any accounts added in the future.

  • You can select specific accounts. Select Just these accounts and add the relevant accounts from the dropdown list.

Set trigger conditions

Set your threshold and severity levels. You can base your trigger on a number of logs, minimum/maximum of fields, average, sum, and more.

You can add multiple conditions for the trigger by clicking + Add threshold. You can add up to 5 threshold conditions, each with its own severity tag.

note

You can set the trigger condition time frame between 5 minutes and up to 24 hours (1 day). To set a trigger condition longer than 24 hours, use Logz.io’s API to create your rule.

Trigger if

(Optional) MITRE ATT&Ck threats

You can add tactics, techniques, and sub technique tags to your rule, which will appear in the rule definitions table and Event management table. The tags are according to Mitre's knowledge base and model for cyber adversary behavior.

Mitre attack

Set rule schedule

You can use the scheduling mechanism to manage the trigger condition frequency.

Scheduling defines the frequency and the time frame for the rule. To define a schedule, select On Schedule and use a cron expression to specify when to trigger the rule.

note

The cron expression can only be set in increments rounded to the nearest minute.

For example, you can apply the following schedule to your rules:

Cron expressionRule trigger schedule
0 0/10 ? * *Every 10 minutes
0 0 0/1 ? * * *Rounded to the nearest hour
0 8-17 ? MON,TUE,WED,THU,FRI *Every minute between 8 am to 5 pm, Monday through Friday
0 5 0 ? * * *Every day at exactly 12:05 am

By default, trigger conditions run approximately every minute. If there's a lag, the rule is checked once all data is received. In addition, once a rule has met its condition and is triggered, it won't be checked again for the remainder of the rule trigger condition time range.

Schedule

(Optional) Set notification details

The Description is visible on the rule definitions page, and it's part of the emails and Slack messages sent when the rule is triggered. As such, an ideal description will be helpful to recipients, explaining how to fix the issues that led to the rule.

The Tags are helpful for filtering and finding the rules later on.

You can choose a notification endpoint to send notifications or emails when the rule is triggered. This isn't required, though—triggered rules are still logged and searchable in OpenSearch Dashboards.

Choose the endpoints or email addresses you want to notify when the rule triggers.

Add email address as a recipient

note

Notification emails include up to 10 sample events. If your rule triggers more than 10 events, you can view the complete list in your logs.

To use an email as your endpoint, type the email in the Recipients box and click enter.

Set a period between notifications to limit how frequently recipients are notified. Logz.io will continue to log triggered rules without sending notifications, and you can review these directly from the Logz.io platform at any time.

note

The system combines the Trigger if time interval with the Wait time interval to calculate how long it should snooze notifications and chooses the more extended time duration available. For example, if your trigger condition is 1 hour and the wait time is 15 Minutes, the system will snooze notifications for 1 hour before triggering them again.

If you need help adding a new endpoint, see Notification endpoints.

Select rule output format & content

When triggered, the rule will send out a notification with sample data.

Sample data can be sent in either JSON or Table formats. Toggle the button to select your preferred format.

If the rule includes any aggregation or group by field, the notification output will send the aggregated results by default.

Add email

Save your rule

Click Save to save your rule. If the thresholds are passed and the rule is triggered, Logz.io will log the rule and send the configured notifications.

Clone and modify an existing rule

You can create rules based on Logz.io's preconfigured rules. In this case, the builder will be pre-populated with data from the existing rule, such as the query string.

Navigate to SIEM > Rules and choose the rule you want to use. Hover over the three dots and select Duplicate.

Duplicate rule

The rule includes all of the relevant queries, filters, etc.

Now, you can define the rule based on your needs and edit the trigger conditions, schedule, notification endpoints, etc.

Once you're done, click Save to create the rule.

Create a rule from OpenSearch Dashboards query

You can create rules based on queries and filters in OpenSearch Dashboards.

Navigate to SIEM > Research and build your query.

To turn the query into a rule, click on Create from query > Create rule. The rule will include the query and filters you've used.

Rule from query

Next, name your rule, set the trigger conditions, add MITRE ATT&Ck tags if needed, set schedule, and choose the notification points.

Once you're done, click Save to create the new rule.