Segmentation rules

In KUMA, you can configure alert segmentation rules, that is, the rules for dividing similar correlation events into different alerts.

By default, if a correlation rule is triggered several times in the correlator, all correlation events created as a result of the rule triggering are attached to the same alert. Alert segmentation rules allow you to define the conditions under which different alerts are created based on the correlation events of the same type. This can be useful, for example, to divide the stream of correlation events by the number of events or to combine several events having an important distinguishing feature into a separate alert.

Alert segmentation is configured in two stages:

1. Segmentation rules are created. They define the conditions for dividing the stream of correlation events.
2. Segmentation rules are linked to the correlation rules within which they must be triggered.

Segmentation rule settings

Segmentation rules are created in the Resources → Segmentation rules section of the KUMA web interface.

Available settings:

• Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters.
• Tenant (required)—name of the tenant that owns the resource.
• Type (required)—type of the segmentation rule. Available values:
  • By filter—alerts are created if the correlation events match the filter conditions specified in the Filter group of settings.

    You can use the Add condition button to add a string containing fields for identifying the condition. You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. You can add other condition groups and individual conditions to filter groups. You can swap conditions and condition groups by dragging them by the icon; you can also delete them using the icon.

    • Left operand and Right operand—used to specify the values to be processed by the operator.

      The left operand contains the names of the event fields that are processed by the filter.

      For the right-hand operand, you can select the type of the value: constant or list and specify the value.

    • Available operators
      • =—the left operand equals the right operand.
      • <—the left operand is less than the right operand.
      • <=—the left operand is less than or equal to the right operand.
      • >—the left operand is greater than the right operand.
      • >=—the left operand is greater than or equal to the right operand.
      • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
      • contains—the left operand contains values of the right operand.
      • startsWith—the left operand starts with one of the values of the right operand.
      • endsWith—the left operand ends with one of the values of the right operand.
      • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
      • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
  • By identical fields—an alert is created if the correlation event contains the event fields specified in the Correlation rule identical fields group of settings.

    The fields are added using the Add field button. You can delete the added fields by clicking the cross icon or the Reset button.

    Example of grouping fields usage

    A rule that detects a network scan generates only one alert, even if there are multiple devices that scan the network. If you create an alert segmentation rule based on the SourceAddress event grouping field and then bind this segmentation rule to a correlation rule, alerts are created for each address from which a scan is performed when the rule is triggered.

    In this example, if the correlation rule name is "Network. Possible port scan", and the "from {{.SourceAddress}}" value is specified as the alert naming template in the segmentation rule resource, alerts are created that look like this:

    • Network. Possible port scan (from 10.20.20.20 <Alert creation date>)
    • Network. Possible port scan (from 10.10.10.10 <Alert creation date>)
  • By event limit—an alert is created if the number of correlation events in the previous alert exceeds the value specified in the Correlation events limit field.
• Alert naming template (required)—a template for naming the alerts created according to this segmentation rule. The default value is {{.Timestamp}}.

  In the template field, you can specify text, as well as event fields in the {{.<Event field name>}} format. When generating the alert name, the event field value is substituted instead of the event field name.

  The name of the alert created using the segmentation rules has the following format: <Name of the correlation rule that created the alert> (<text from the alert naming template field> <Alert creation date>).

• Description—resource description: up to 4,000 Unicode characters.

Linking segmentation rules to correlation rules

Links between a segmentation rule and correlation rules are created separately for each tenant. They are displayed in the Settings → Alerts → Segmentation section of the KUMA web interface in the table with the following columns:

• Tenant—the name of the tenant that owns the segmentation rules.
• Updated—date and time of the last update of the segmentation rules.
• Disabled—this column displays a label if the segmentation rules are turned off.

To link an alert segmentation rule to the correlation rules:

1. In the KUMA web interface, open the Settings → Alerts → Segmentation section.
2. Select the tenant for which you would like to create a segmentation rule:
   • If the tenant already has segmentation rules, select it in the table.
   • If the tenant has no segmentation rules, click Add settings for a new tenant and select the relevant tenant from the Tenant drop-down list.

   A table with the created links between segmentation and correlation rule is displayed.

3. In the Segmentation rule links group of settings, click Add and specify the segmentation rule settings:
   • Name (required)—specify the segmentation rule name in this field. Must contain 1 to 128 Unicode characters.
   • Tenants and correlation rule (required)—in this drop-down list, select the tenant and its correlation rule to separate the events of this tenant into an individual alert. You can select several correlation rules.
   • Segmentation rule (required)—in this group of settings, select a previously created segmentation rule that defines the segmentation conditions.
   • Disabled—select this check box to disable the segmentation rule link.
4. Click Save.

The segmentation rule is linked to the correlation rules. Correlation events created by the specified correlation rules are combined into a separate alert with the name defined in the segmentation rule.

To disable links between segmentation rules and correlation rules for a tenant:

1. Open the Settings → Alerts section of the KUMA web interface and select the tenant whose segmentation rules you want to disable.
2. Select the Disabled check box.
3. Click Save.

Links between segmentation rules and correlation rules are disabled for the selected tenant.