BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Creating an Event Rule
  • Editing an Event Rule
  • Disable an Event Rule
  • Event Rule Fields
  • Event Rule Actions
  • Examples
  1. 09_CaseHub

Event-Rules

Case-Hub Event Rules

Event Rules are utilized to automate both new and existing Events within the Case-Hub. Reflex Query Language (RQL) is used by Event Rules to identify and execute certain actions on matching events as they come through. All the created rules can be managed from the Event Rules page.

Creating an Event Rule

Event Rules can be created from the "Event Rules" page or directly from the "Event-Queue" page, here we will go through the steps for creating an Event Rule from the "Event-Queue" page:

  1. Navigate to the "Event Queue" page from the dashboard, and identify the event for which you want to create an event rule.

  2. Click the "Blue Graph Icon" located in the bottom left of the Event card underneath observables, this will open the rule creation wizard, pre-populated with the rule name for the selected event.

  3. Enter details, and set expiration (if needed).

  4. For the Event query, the system will auto-generate a default rule based on selected event observables, check the query, and make required adjustments to the rule.

    Note: Ensure the rule condition is properly tuned and has the fields you need.

  5. Click Test Rule to test the Rule.

  6. Determine Event actions,

  7. Determine Case actions (choose between New/Merge case options),

    Note: choosing the "New-Case" option will create a new case for every event matched.

  8. Determine notifications (if needed).

  9. Review the Event Rule and click Create

Editing an Event Rule

To modify an Event Rule after creation, the following steps can be used:

  1. Navigate to the Event Rules page from the Dashboard

  2. Locate the Event Rule you wish to edit

  3. Click Manage -> Edit Rule

  4. Make required changes and save

Disable an Event Rule

To disable an Event Rule, the following steps can be used:

  1. Navigate to the Event Rules page from the Dashboard.

  2. Locate the Event Rule you wish to disable.

  3. Click Manage -> Disable Rule (or) toggle the Active switch to NOwhile editing the rule, save.

Event Rule Fields

Following are the different fields you need to fill in while creating an event rule:

Fields
Details

Organization

Select the appropriate Organization from the list to apply the Rule to

Rule Name

Give the Rule a relevant name

Rule Descriptio

provide a description of the Rule and its purpose

Active

Rule is actively run against Events

Protected

Rule can only be edited and disabled by its creator

Run Retroactive

The rule runs retroactively when saved, meaning Case-Hub will attempt to match the Rule to any event that is in the New state

Global Rule

Exist in the Default Tenant and will apply to every tenant in the Case-Hub instance

Priority

Determines which Event Rules will be processed first.

Rules with a lower-numbered priority will run first, whereas Rules with a high-priority number will run after.

Expire

The rule will automatically disable itself after x number of days (1 is the default)

Query

Number of Test Events

Reflex will fetch the last x number of events and compare this rule to them.

Event Rules support retroactively testing them against the entire collection of Events in the system. This means that Case-Hub will attempt to test the Rule against all events in any state. Best Practices: Testing across a large set of events is time-consuming, it is recommended to fine-tune the testing criteria by selecting a relevant start and end date as well as adjusting the Number of test events to something reasonable (which is 1,000 Events by default). Note: In multi-tenant environments, if the Global Rule is switched to YES, then the test will be done across all tenants.

Start Time

Start of the search period to test the Rule against

End Time

End of the search period to test the Rule against

Include Results

This will present all matched Events in a new window

Event Rule Actions

There are a number of actions that Event Rules can perform when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged and moved into a case at the same time).

Event Actions
Details

Dismiss Event

select a dismiss reason and enter a dismiss comment to automatically dismiss Events that match this Rule

Add Tags

Apply additional tags to Events that match this rule

Update Severity

Change the severity of the Event that matches the Rule

Case Actions
Details

Create New Case

Creates a new Case for every Event that matches the Rule

Case Template

Select a Case Template to apply when the new Case is created

Merge into Case

Merges Events that match the Rule into a Case

Examples

Event Rules are extremely useful for additional automation in your Case-Hub environment and have countless use cases. Below are a few examples:

  • Dismiss all successful remote logins where the username is that of a known admin.

  • Dismiss benign or known good values for particular Detections.

  • Merge all Events generated by a particular Detection into a Case for client review.

PreviousCase-TemplatesNextReflex Query Language (RQL)

Last updated 1 year ago

Provide an to match events to this rule based on certain criteria

RQL query