Write a Threshold Rule

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Learn how to write a Threshold rule.

This topic has information about the Threshold rule UI, and the data you provide to create a Threshold rule.

Threshold rule UI

The screenshot below shows the UI for creating a Threshold rule. The path to this page is Content > Rules > Create a Rule > Threshold.

Define Threshold rule options

For a Threshold rule, you define the following:

Name. Enter a name for the rule. Signals the rule fires will have this name.
When ... Record. Select how many Records must match the rule expression during the interval you specify below, in the within option.
matching the expression. Enter the rule expression, a boolean expression that when “true”, causes the rule to fire.
You can expand the field template guide, which contains a list of all the fields that CSE can normalize to v3 of the CSE Schema. Note that the existence of a field in the guide doesn't mean that your ingested Records necessary include that field.
on field. The field to count when the expression evaluates to true.
Count only distinct matches. If you select this option, only distinct values of the field you specified above in on field are counted. For example, if on field is port, you might only want to count only those occurrences where the port value is different.
within. Select the duration within which the rule expression must evaluate to “true” more than the number of times specified in When n Record for the rule to fire a Signal.
grouped by. (Optional) A threshold rule implicitly groups by the entity field you’ll select below in On Entity. You can add additional “group by” fields, so that a Signal is only created if the count for the group is above the limit specified in When ... Record above.
On Entity. Define the Entity field—an IP address, hostname, or username—in the Record that the resulting Signal should be associated with. (In CSE, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list.
with the description. Define the description for the Signal. The Signal description should be a good indication of what the rule looks for.
with the stage. Select the MITRE attack chain stage that best describes the behavior the rule is looking for, for example, “initial access” or “execution”.
with a severity of. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). There are several ways to specify Severity.
- with a constant severity. Choose constant, and select a severity level.
- with a dynamic severity. Use dynamic if you want to base the severity level on a value of a field in the Record. Select a field from the list. If you want the severity to be exactly the value of the field, you’re done. Or, you can use the Configure Mappings option to define a default Severity and specific Severity values based on Record values. Here’s an abbreviated example of doing that.
Save this rule as a prototype. Click this checkbox to save the rule as a prototype, so that Signals created by the rule won’t be used to generate Insights.

Built-in Threshold rules

If you'd like to see some existing Threshold rules, CSE has plenty of built-in examples.

Go to Content > Rules, click in the Filter area, and select Type from the list.
On the Operators popup, select is.
Select Threshold from the list of rule types.
A list of Threshold rules appears. Click a rule to view it. Here is an example: