Life Cycle of an Alert

Every rule must include the following components:

• Rule Name: Indicates the name of the ruleset.
• Alert Title: Indicates the name and substitutions (dynamic content) which add context to the alert.
• Alert Description: Indicates a brief summary of the alert.
• Aggregate Fields: Helps define the uniqueness of an alert. See Rule Aggregation for additional information about aggregate options.
• Trigger an alert if an event matching this rule occurs at least: Indicates the frequency for generating an alert. You can specify how often to display an alert within a certain time frame.
• Rule Filter : Indicates the criteria the filter is using to decide if an alert should display.
• Severity: There are three levels of behaviors to indicate the severity of the alert.
  • Severity 1 alerts are the highest elevation of behaviors.
  • Severity 2 alerts are the second highest elevation of behaviors.
  • Severity 3 alerts are the third highest elevation of behaviors.

Example of Rule Creation

The example below walks you through the process of cloning and modifying an existing "Privilege Escalations" rule in the Base Ruleset. You can clone an existing rule from the Rules page.

1. Click the + New Rule button.

   
   

2. The Add Host Rule dialog displays.

   
   

3. Select Clone Existing Rule and click the Next: Details button.

   
   

4. In the Select existing rules to clone field, search and select the existing Privilege Escalations rule.

   
   

5. After making your selection, click the Clone 1 Rule button.
6. The cloned rule will be displayed in the rules list.

   
   

7. You can confirm the Severity of alerts associated with the rule. If necessary, change the severity level by clicking the severity button for your desired alert level.
8. In the right view pane, the Details screen displays. You can make changes to the following:
   1. Rule Name
   2. Alert Title
   3. Alert Description
   4. Aggregate Fileds
   5. Frequency of alert

   
   

   Note

   In the Aggregate Fields, confirm you have the correct aggregations selected.

9. In this example, the following updates were made:
   • The Rule Name field was updated to Sudo five in an hour {{exe}} by {{user}} with arguments {{arguments}}.
   • The Alert Title field was updated to User Activity (Sudo five in an hour) {{exe}} ran by user {{user}} with {{arguments}}.
   • The Alert Description field was updated to This alert tracks all sudo ran by a non-root user and alerts you if users run 5 sudo commands in an hour.
   • The alert frequency field was updated to 5 times, and the time window for the alert was updated to 1 hour.

   
   

10. Click the Update Rule button to save your changes.
11. Navigate to the Rule Filter pane.

    
    

12. In the Filter field enter, the following filter criteria: command = "sudo" and type ="start".
13. Click the Update Rule Filter button.

    
    

    You have successfully created a new rule.

When you create a rule, you have the option to select aggregations, alert thresholds, and a time window.

Aggregation Field

Aggregate fields define the uniqueness of the alert.

In our example for rule creation, we selected "execute" and "arguments" as aggregations. Hence, if a user executes the same command within the same argument more than once, Distributed Cloud AIP considers it an identical event and updates the original alert within the alert threshold.

Within the context of aggregation, if a user performs the same execution but enters a different argument, a new unique alert displays since Distributed Cloud AIP considers it a different alert.

Alert Thresholds

The alert threshold counts the number of times an event matches the defined filter and aggregations. It displays an alert only after the count matches the alert criteria.

In our example, you set the alert threshold as "5 events in a 1 hour period". This means that if a user executes the same argument 5 times within an hour, Distributed Cloud AIP generates only 1 alert.

Time Window

The time window is the span of time specified to generate an alert based on the number of times an event was executed.

In our example, if the same alert generates more than once within a time window, Distributed Cloud AIP would update the existing alert instead of generating a new alert. When Distributed Cloud AIP updates an existing alert, it attaches the event to the alert record for you to review.

You can learn more about alerts in the Distributed Cloud AIP Dashboard in the "Review an Alert" section below.

At this point you have created a rule and specified the criteria for an alert. We can now review what an alert looks like on the Alerts page if an event triggers it.

The Alerts Page

As a reminder, the Alerts page contains:

• Organized view (default and customizable tabs)
• By default, Distributed Cloud AIP sorts alerts by severity, type, active, or dismissed.
• Search field
• Alert trends over time (histogram)
• Alert information table and filter rule and ruleset details

Reviewing Alerts

Distributed Cloud AIP recommends using the Alert Trends histogram to navigate to alert spikes. This can help you quickly access alert details and efficiently review additional information.

In Alert Trends, you can select a desired time frame along the histogram to view the behaviors that caused the alerts. As you move the vertical markers to your desired timeline, the information in the Filters section changes to display relevant content related to the behaviors in the body of the alerts. The filter pane also shows the specific behaviors and events to help you determine whether any further analysis and action is required.

Alert Details Information

When reviewing alerts in list view, the following information is displayed:

1. Severity level of the alert
2. Title of the alert
3. Date and time of the alert
4. Alert suppression icon

Select an alert to view detailed event information.

Additional information about the events contributing to the alert are displayed, such as:

1. The date and time of the first event that triggered the alert (The default timestamp).
2. The timestamp of the last event that contributed to the alert.
3. The last five contributing events related to the alert.

Clicking the View Contributing Events link displays the last five contributing events in chronological order starting with the most recent event.

On the Alerts page, you can view, suppress, and dismiss alerts. Dismissing alerts enables you to acknowledge particular behaviors and track the dismissed alerts for compliance.

Dismiss an Alert vs Suppress an Alert

When you dismiss an alert, it removes it from view. If the behavior happens again the alert will re-appear.

Suppressing an alert whitelists the behavior. Hence, you will not see the alert again. If you suppress an alert, it indicates you don’t want to receive alerts about the behavior. See Suppress an Alert for more information.

Dismiss an Alert

Dismissing an alert indicates you have reviewed and acknowledged a particular behavior, or a set of behaviors. From a compliance perspective, a record of dismissed alerts shows an auditor you reviewed and acknowledged particular behaviors.

1. Navigate to the Alerts page.
2. On the Alert Trends histogram, navigate to an alert spike using the vertical markers.

   
   

3. After selecting an alert timeline, review the Filter by Rule pane for the rule filter that triggered the alert behavior.

   
   

4. Select a specific alert to review the contributing events and determine why the behavior happened.

   
   

5. Select the checkbox for the alert. The Dismiss pane displays in the right view.

   
   

6. Select your Dismiss Alerts Reason and click the Dismiss [#] Alert button.

   
   

7. You can review dismissed alerts in the Dismissed Alerts tab.