Creating a New Alert Rule

Different functions can be used when creating a new alarm rule. Correlation rules can be created with column matching or the created Lists can be used.

Let's create a correlation rule;

First of all, you should open Alert Rules category from Settings -> Incidents and Alerts and click  +Alert Rule from the right side.

alertrule.png

In the definition tab in the alert wizard that opens, you can determine the name of the alarm and respectively the category,severity and tags.

alertrule1.png

You can select any column in the rule set tab and use different functions like is, is not, range, values, behavior etc.

In this example, you choose the ip address and using the “is not” function, you excluded the 8.8.8.8 ip in the rule you created.

alertrule2.png

This was your first condition in the correlation. It can be continued by adding different conditions. Each condition is separated by an "and" operator.

alertrule3.png

 

In the following conditions, you stated that the same source ip should be in the "Brute Force Attacker Host" list before and that the same IP address should be in the "Port Scanner Hosts" list. (These lists include different conditions)

Together with the behavior parameter, you could also say if this ip address enters any of the “Port Scanner Host” OR “Brute Force Attacker” Host lists.

alertrule4.png

 

Silence Time: Determine alert silence time.

Silence Columns: Determine alert silence column.

Mute: Determine alarm mute time as hour(s).

Run: Determine alarm run time.

*Silence: That mean if same alert rule triggered more than one and it has a same column and you want don't trigger it more than one, you can stop create alert rule for how many seconds you want.

alertrule5.png

 

Action Column: Determine action column for this alert rule.

Add to Feed List: Can be add action column value to feed list for firewall external feeds.

Overwrite Alert Info: Can be change alert name as selected column value.

Email: Select e-mail address(es) for notification (Should be configure SMTP.)

SMS: Select GSM for notification (Should be configure SMS sending.)

Security Automation: Can be send action column value to Firewalls for block(Should be configure security automation.)

Mitre: Can be select Mitre Rule(s) for this alert rule.

Soar Connector: Can be send this alert to SOAR as an incident.

Co Managed: Select incedent type (collect, create ticket, case etc.).

 

alertrule6.png

 

 

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.