Event-Based Rules Syntax
F5 Distributed Cloud App Infrastructure Protection (AIP) collects raw event data from your Agents and delivers it to Distributed Cloud AIP to be processed. We utilize the Base Ruleset and any rules you created to trigger alerts based on information you want reported.
This article explains the types of rules and the syntax associated with the events. This information will enable you to search for events more efficiently and make better suppressions and rule filters to refine the information you see within Distributed Cloud AIP.
Rule Categories
Distributed Cloud AIP provides the following rule categories based on the following event types.
| Types | Event type rules process.... |
|---|---|
| Audit | Syscall events from the audit framework |
| CloudTrail | AWS CloudTrail events |
| File | Local file system events for file integrity monitoring |
| Host | Events triggered from host logs |
| Windows | Windows Agent events |
| Login | Local login events |
| Threat Intel | IP reputation events |
| Kubernetes Audit | Kubernetes orchestration events |
| Kubernetes Configuration | Kubernetes configuration events |
Search Syntax Best Practices
Best practices that apply to searching across all event types:
- The search field is case sensitive.
- You can use parentheses when searching multiples of the same:
- parameters
- key value pairs
- The Alert Details section enables an Add to Search option. It adds key values to your search with the correct syntax.
- The server syntax for agent is consistent across all event types for rules. It searches for the hostname.
Note
Distributed Cloud AIP uses the CloudTrail native case for compatibility reasons. This means the test filter is case sensitive and uppercase letters will cause the test filter not to match even if a suppression or rule filter is actually correct.
Audit event syntax contains a readable, parseable version of Linux syscalls. This provides a comprehensive look into all local actions taken by your operating system.
To search an audit event, enter event_type = "audit" into the search field. You can use AND or OR operators to add key values to your search.
Notable key value pairs for audit events include:
| Title (Type) | Key Value Pairs |
|---|---|
| Made Connection (type = "connect") | src_addr, src_port, dst_port, ip, port, service, exe, user, group, PID, PPID, command, session |
| Accepted connection (type = "accept") | src_addr, src_port, ip, port, exe, user, group, PID, PPID, command, session |
| Start (type = "start") | exe, cwd, user, group, PID, PPID command, session, arguments |
| Bind Name to Socket (type = "bind") | ip, port, exe, user, group, PID, PPID, command, session |
| Listen for socket connections (type = "listen") | exe, user, group, PID, PPID, command, session |
| Load a kernel module (type = "finit_module") | exe, user, group, PID, PPID, command, session |
| Get & set socket options (type = "setsockopt") | exe, user, group, PID, PPID, command, session, tty |
IP and Port fields are derived fields and are different for connect and accept events.
| Title (Type) | Key Value Pairs | Distributed Cloud AIP Use | Notes |
|---|---|---|---|
| Connect | IP and dst_port | The IP field is the destination ip of the connection. The port is the destination port (dst_port). | |
| Accept | IP and dst_port | The IP field is the source IP of the remote connection. The port is the ephemeral (negotiated) return port for the tcp connection. | Network events are TCP connections only and do not include UDP connections. |
To search for a CloudTrail event, enter event_type = "cloudtrail" into the search field.
Due to the large number of CloudTrail events and key value pairs available and generated, Distributed Cloud AIP does not index them all. This means that you cannot search every potential value pair. In rare cases, there could be information you want to search, filter, or suppress where you would need to contact us to implement.
Important
CloudTrail is case sensitive for key value pairs. Examples include eventSource, eventName, user and arnRole
Using operators such as like, ends_with, or starts_with automatically make queries lowercase within Distributed Cloud AIP, which causes the search to fail. This only pertains to event searches, not to rule cloning and creation, rule filters, or suppressions.
| Notable CloudTrail Keys |
|---|
| server |
| region |
| requestID |
| eventID |
| arnRole |
| accountId |
| timestamp |
| event_type |
| ip |
| eventName |
| eventSource |
| eventSourceType |
Note
AWS does not provide a CloudTrail validation API endpoint. This means Distributed Cloud AIP cannot distinguish between key value pairs that are not indexed or invalid key value pairs.
To search for a file integrity monitoring event, enter event_type = "file" into the search field.
Commons searches are by filename, command, argument, or user.
| Title (type) | Key Value Pairs |
|---|---|
| File (event_type = "file") | filename, command, arguments, or user |
To search for host events, enter event_type = "host" into the search field.
- Login sessions: open and close
- Privilege escalations: successful and failed
- Failed login sessions
| Key Value Pairs |
|---|
| users |
| group |
| src_ip |
Search by users, group (you must know exactly what you are looking for syntax-wise: authentication-success, authentication_failed, or invalid_login, otherwise the search will fail), or source IP (src_ip).
Note
Distributed Cloud AIP differentiates between privilege escalation failed and a failed login session.
You can also search for the sigid, which can differentiate within privilege escalation.
To search for Windows events, enter event_type = "winsec" into the search field.
| Key Value Pairs |
|---|
| exe |
| parent_name |
| command |
| dst_ip |
| src_ip |
To search for login events, enter event_type = "login" into the search field.
Common searches for login events include src_ip, server, or src_host. Logout events are covered as Host events.
| Key Value Pairs |
|---|
| src_host |
| agent |
| src_ip |
Threat Intel refers to Threat Intelligence. You can search for Threat Intel events using event_type = "threatintel"in the search field.
There are three important key value pairs: threatintel_source, threatintel_reason, and ip. You can determine from which list it came (source), its reputation (reason), and the location from where it came (ip).
| Key Value Pairs |
|---|
| user, command, arguments, port |
| threatintel_source, threatintel_reason, ip |
To search for Kubernetes audit events, enter event_type = "kubernetesAudit" into the search field.
| Key Value Pairs |
|---|
| action (Orchesttration action taken on cluster) |
| resource.type (Type of resource: pod, node, namespace) |
To search for Kubernetes configuration events, enter event_type = "kubernetesConfig" into the search field.
| Key Value Pairs |
|---|
| namespace |
| role_name |
| role_type |
| verbs |