Event-Rules

Case-Hub Event Rules

Event Rules are utilized to automate both new and existing Events within the Case-Hub. Reflex Query Language (RQL) is used by Event Rules to identify and execute certain actions on matching events as they come through. All the created rules can be managed from the Event Rules page.

Creating an Event Rule

Event Rules can be created from the "Event Rules" page or directly from the "Event-Queue" page, here we will go through the steps for creating an Event Rule from the "Event-Queue" page:

  1. Navigate to the "Event Queue" page from the dashboard, and identify the event for which you want to create an event rule.

  2. Click the "Blue Graph Icon" located in the bottom left of the Event card underneath observables, this will open the rule creation wizard, pre-populated with the rule name for the selected event.

  3. Enter details, and set expiration (if needed).

  4. For the Event query, the system will auto-generate a default rule based on selected event observables, check the query, and make required adjustments to the rule.

    Note: Ensure the rule condition is properly tuned and has the fields you need.

  5. Click Test Rule to test the Rule.

  6. Determine Event actions,

  7. Determine Case actions (choose between New/Merge case options),

    Note: choosing the "New-Case" option will create a new case for every event matched.

  8. Determine notifications (if needed).

  9. Review the Event Rule and click Create

Editing an Event Rule

To modify an Event Rule after creation, the following steps can be used:

  1. Navigate to the Event Rules page from the Dashboard

  2. Locate the Event Rule you wish to edit

  3. Click Manage -> Edit Rule

  4. Make required changes and save

Disable an Event Rule

To disable an Event Rule, the following steps can be used:

  1. Navigate to the Event Rules page from the Dashboard.

  2. Locate the Event Rule you wish to disable.

  3. Click Manage -> Disable Rule (or) toggle the Active switch to NOwhile editing the rule, save.

Event Rule Fields

Following are the different fields you need to fill in while creating an event rule:

Fields
Details

Organization

Select the appropriate Organization from the list to apply the Rule to

Rule Name

Give the Rule a relevant name

Rule Descriptio

provide a description of the Rule and its purpose

Active

Rule is actively run against Events

Protected

Rule can only be edited and disabled by its creator

Run Retroactive

The rule runs retroactively when saved, meaning Case-Hub will attempt to match the Rule to any event that is in the New state

Global Rule

Exist in the Default Tenant and will apply to every tenant in the Case-Hub instance

Priority

Determines which Event Rules will be processed first.

Rules with a lower-numbered priority will run first, whereas Rules with a high-priority number will run after.

Expire

The rule will automatically disable itself after x number of days (1 is the default)

Query

Provide an RQL query to match events to this rule based on certain criteria

Number of Test Events

Reflex will fetch the last x number of events and compare this rule to them.

Event Rules support retroactively testing them against the entire collection of Events in the system. This means that Case-Hub will attempt to test the Rule against all events in any state. Best Practices: Testing across a large set of events is time-consuming, it is recommended to fine-tune the testing criteria by selecting a relevant start and end date as well as adjusting the Number of test events to something reasonable (which is 1,000 Events by default). Note: In multi-tenant environments, if the Global Rule is switched to YES, then the test will be done across all tenants.

Start Time

Start of the search period to test the Rule against

End Time

End of the search period to test the Rule against

Include Results

This will present all matched Events in a new window

Event Rule Actions

There are a number of actions that Event Rules can perform when matched to Events. Multiple actions can be applied simultaneously (e.g. an event can be tagged and moved into a case at the same time).

Event Actions
Details

Dismiss Event

select a dismiss reason and enter a dismiss comment to automatically dismiss Events that match this Rule

Add Tags

Apply additional tags to Events that match this rule

Update Severity

Change the severity of the Event that matches the Rule

Case Actions
Details

Create New Case

Creates a new Case for every Event that matches the Rule

Case Template

Select a Case Template to apply when the new Case is created

Merge into Case

Merges Events that match the Rule into a Case

Examples

Event Rules are extremely useful for additional automation in your Case-Hub environment and have countless use cases. Below are a few examples:

  • Dismiss all successful remote logins where the username is that of a known admin.

  • Dismiss benign or known good values for particular Detections.

  • Merge all Events generated by a particular Detection into a Case for client review.

Last updated