Rule Aggregation

When creating a new rule, you have the option of selecting aggregations. The idea behind aggregation is to group alerts by a defined term. Aggregate fields define the uniqueness of the alert.

For example, if I built a host rule and set it to aggregate on "src_ip", and then run 11 commands from my local machine, I will see one alert in the Threat Stack Cloud Security PlatformⓇ (CSP).

You can also define a time window for when the aggregation should occur. For additional information about alerts and aggregate fields, please review the Life Cycle of an Alert article.

Aggregate fields are available in the Threat Stack CSP for the following rule types:

Linux Host Rule
Aggregate Fields
exe
user
auser
auid
arguments
ip
port
command
session
src_ip
dst_ip
src_user
dst_user
filename
File Integrity Rule
Aggregate Fields
command
filename
user
exe
arguments
session
src_user
dst_user
CloudTrail Rule
Aggregate Fields
user
eventName
eventSource
ip
accountId
Threat Intelligence Rule
Aggregate Fields
threatintel_source
threatintel_reason
threatintel_type
ip
Windows Host Rule
Aggregate Fields
command
correlation
domain
dns_host
dst_host
dst_ip
dst_ipv6
dst_port
exe
guid
reg_event
sam_account
sid
src_ip
src_ipv6
src_addr
src_port
src_host
target_domain
target_exe
target_file
target_reg_key
target_user
user
Kubernetes Audit Rule
Aggregate Fields
action
node_name
namespace
resource
name
type
Kubernetes Configuration Rule
Aggregate Fields
name
namespace
type
role_name
role_type
verbs
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request