Event-Rules
Case-Hub Event Rules
Event Rules are utilized to automate both new and existing Events within the Case-Hub. Reflex Query Language (RQL) is used by Event Rules to identify and execute certain actions on matching events as they come through. All the created rules can be managed from the Event Rules page.
Creating an Event Rule
Event Rules can be created from the "Event Rules" page or directly from the "Event-Queue" page, here we will go through the steps for creating an Event Rule from the "Event-Queue" page:
Navigate to the "Event Queue" page from the dashboard, and identify the event for which you want to create an event rule.
Click the "Blue Graph Icon" located in the bottom left of the Event card underneath observables, this will open the rule creation wizard, pre-populated with the rule name for the selected event.
Enter details, and set expiration (if needed).
For the Event query, the system will auto-generate a default rule based on selected event observables, check the query, and make required adjustments to the rule.
Note: Ensure the rule condition is properly tuned and has the fields you need.
Click Test Rule to test the Rule.
Determine Event actions,
Determine Case actions (choose between New/Merge case options),
Note: choosing the "New-Case" option will create a new case for every event matched.
Determine notifications (if needed).
Review the Event Rule and click Create
Editing an Event Rule
To modify an Event Rule after creation, the following steps can be used:
Navigate to the Event Rules page from the Dashboard
Locate the Event Rule you wish to edit
Click Manage -> Edit Rule
Make required changes and save
Disable an Event Rule
To disable an Event Rule, the following steps can be used:
Navigate to the Event Rules page from the Dashboard.
Locate the Event Rule you wish to disable.
Click Manage -> Disable Rule (or) toggle the Active switch to
NO
while editing the rule, save.
Event Rule Fields
Following are the different fields you need to fill in while creating an event rule:
Organization
Select the appropriate Organization from the list to apply the Rule to
Rule Name
Give the Rule a relevant name
Rule Descriptio
provide a description of the Rule and its purpose
Active
Rule is actively run against Events
Protected
Rule can only be edited and disabled by its creator
Run Retroactive
The rule runs retroactively when saved, meaning Case-Hub will attempt to match the Rule to any event that is in the New
state
Global Rule
Exist in the Default Tenant and will apply to every tenant in the Case-Hub instance
Priority
Determines which Event Rules will be processed first.
Rules with a lower-numbered priority will run first, whereas Rules with a high-priority number will run after.
Expire
The rule will automatically disable itself after x
number of days (1
is the default)
Query
Provide an RQL query to match events to this rule based on certain criteria
Number of Test Events
Reflex will fetch the last x
number of events and compare this rule to them.
Event Rules support retroactively testing them against the entire collection of Events in the system. This means that Case-Hub will attempt to test the Rule against all events in any state. Best Practices: Testing across a large set of events is time-consuming, it is recommended to fine-tune the testing criteria by selecting a relevant start and end date as well as adjusting the Number of test events to something reasonable (which is 1,000 Events by default). Note: In multi-tenant environments, if the Global Rule is switched to YES, then the test will be done across all tenants.
Start Time
Start of the search period to test the Rule against
End Time
End of the search period to test the Rule against
Include Results
This will present all matched Events in a new window
Event Rule Actions
There are a number of actions that Event Rules can perform when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged and moved into a case at the same time).
Dismiss Event
select a dismiss reason and enter a dismiss comment to automatically dismiss Events that match this Rule
Add Tags
Apply additional tags to Events that match this rule
Update Severity
Change the severity of the Event that matches the Rule
Create New Case
Creates a new Case for every Event that matches the Rule
Case Template
Select a Case Template to apply when the new Case is created
Merge into Case
Merges Events that match the Rule into a Case
Examples
Event Rules are extremely useful for additional automation in your Case-Hub environment and have countless use cases. Below are a few examples:
Dismiss all successful remote logins where the username is that of a known admin.
Dismiss benign or known good values for particular Detections.
Merge all Events generated by a particular Detection into a Case for client review.
Last updated