Contents
Segmentation rules
Segmentation rules allow you to automatically split related alerts into different incidents based on the conditions that you specify when creating the rules.
Use segmentation rules to create different incidents based on related alerts. For example, you can combine several alerts with an important distinguishing feature into a separate incident.
Alerts can only be linked to an incident that belongs to the same tenant.
We recommend that you use segmentation rules together with aggregation rules to define more precise rules for creating incidents.
When you write a jq expression while creating a segmentation rule, an error about invalid expression may appear though the expression is valid. This error does not block the creation of the segmentation rule. This is a known issue.
To create a segmentation rule:
- In the main menu, go to Settings → Tenants.
- Click the tenant for which you want to create a segmentation rule.
- In the Settings tab, select Segmentation rules.
- Click Create.
A Segmentation rule window appears.
- Specify the segmentation rule settings:
- Status
Enable or disable the rule.
- Rule name
A unique name for the rule. Must contain 1 to 255 Unicode characters.
- Max alerts in incident
Maximum number of alerts in a single incident. If the number of alerts exceeds the specified value, another incident is created.
- Min alerts in incident
Minimum number of alerts in a single incident. If the number of alerts does not reach the specified value, an incident is not created.
- Incident name (template)
A jq expression that defines the template for naming the incidents created according to this segmentation rule.
Example:
"Malware Detected with MD5 \(.Observables[] | select(.Type == "md5") | .Value)" - Search interval
A time interval from which to select alerts and incidents.
- Description
Optional. Rule description.
- Trigger
A jq expression that defines the condition for including alerts in the incident.
Example:
any(.Rules[]?; .Name == "R077_02_KSC. Malware detected") - Groups
A jq expression that defines the array of string identifiers by which to assign alerts to incidents.
Example:
[.Observables[] | select(.Type == "md5") | .Value ]
- Status
- Click Save.
The segmentation rule is saved and displayed in the table of segmentation rules. If necessary, you can edit the rule setting by clicking its name in the table.
The rules are prioritized in the table in descending order.
When an alert is created, it is checked by all active segmentation rules in accordance with their priority. After the first rule is triggered, an array of string identifiers is formed for the alert, and the search starts for the incident to which the alert will be linked.
A rule is triggered if the jq expression that you have specified in Trigger returns true.
Alerts cannot be linked to incidents created manually.
An incident also has an array of string identifiers, which include the arrays of the alerts already linked to this incident. If the alert for which the segmentation rule was triggered has at least one element in its array that matches with any of those in the incident's array, the alert is linked to the incident. As a result, the array of this alert is added to the incident's array.
If there are several incidents meeting the condition, the alert is linked to the one with the most recent update. If there are no incidents with matching elements in arrays, a new incident is created.
When an incident is new, its array is empty. A new incident takes the array of string identifiers from an alert after the alert is linked.
Segmentation rule. Example
Configure the aggregation rules from the Aggregation rules. Example section in this topic.
The table below illustrates how to combine all penetration testing alerts in a single incident.
Segmentation rule
Attribute |
Value |
Trigger |
.AggregationID == "Pentest" |
Groups |
["Pentest"] |
Incident Name |
"Pentest incident" |
Aggregation and segmentation rules. Example
The table below illustrates how to combine alerts that have the same rule id in two incidents based on the user name prefix.
Aggregation rule
Attribute |
Value |
Description |
Trigger |
any(.Rules[]?; .ID == "123") |
Searches alerts with the rule id set to "123". |
Aggregation ID |
if any(.OriginalEvents[]?.BaseEvents[]?.DestinationUserName // empty; startswith("adm_")) then "rule123_DestinationUserName_adm" else "rule123_DestinationUserName_not_adm" end |
Searches for user names with the "adm_" prefix. |
Alert Name |
if any(.OriginalEvents[]?.BaseEvents[]?.DestinationUserName // empty; startswith("adm_")) then "Rule123 admin" else "Rule123 not admin" end |
Sets the alert name depending on the user name prefix. |
Segmentation rule
Attribute |
Value |
Trigger |
.AggregationID | startswith("rule123_DestinationUserName") |
Groups |
[.AggregationID] |
Incident Name |
.Name |