Write a Threshold Rule
Learn how to write a Threshold rule.
This topic has information about the Threshold rules and how to create them in the CSE UI.
About Threshold rules
A Threshold rule fires when its rule expression is matched at least a certain number times during a specified length of time. For example, if there are five or more failed login attempts for the same IP address within one hour.
Create a Threshold rule
- Choose Rules from the Content menu.
- On the Create a Rule page, click Create in the Threshold card.
- In the rules editor:
- Name. Enter a name for the rule.
- Enabled. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it.
Configure “If Triggered” settings
- When the expression. Enter the rule expression, a boolean expression that when “true”, causes the rule to fire.
- matches n Record. Select how many Records must match the rule expression during the interval you specify below, in the within option.
- within. Select the duration within which the rule expression must evaluate to “true” more than the number of times specified in matches n Record for the rule to fire a Signal.
- Show advanced. Click this link, in the upper right corner of the If Triggered area, to display advanced options. When you checkmark an advanced option, the If Triggered area refreshes, displaying additional fields.
- Count only distinct value for a field. Configure this option if you only want to count the number of Records that contain distinct values of a particular Record field, instead just counting Record that match your rule expression. Use the for field dropdown list to select the desired field.
- group by one or more fields. By default, a threshold rule implicitly groups by the entity field you’ll select below when configuring the Then Create a Signal options. You can select additional “group by” fields with the matches grouped by option, so that a Signal is only created if the count for the group is above the threshold count specified above.
Test your rule expression
Configure “Then Create a Signal” settings
- On Entity. Select the Entity field—an IP address, MAC address, hostname, or username—in the Record that the resulting Signal should be associated with. (In CSE, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list.
- with the summary.
- with the description. Define the description for the Signal. You can use text and Record fields. The Signal description should be a good indication of what the rule looks for.
- with a severity of. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest).
- with tags. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. For more information, see Using Tags with Insights, Signals, Entities, and Rules.
Save as prototype
Duplicate Signals?