Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

Add, edit, remove a Rule

In the Rules overview screen you can add, edit or remove a Rule.

The Rules overview screen

  • To edit a rule click on the button that illustrates a pencil
  • To remove a rule click on the button that illustrates a trash bin
  • To add a new rule click on the New Rule button on the top right of the screen.

The creation of a new Rule requires the completion of a form that is divided in 4 sections, basic settings, context, filtering conditions and triggering conditions.

The New Rule page

Basic Settings

In the basic settings section the user can specify:

  • A rule name
  • Alert Type. Defines the type of alerts produced. Currently cannot be changed and it is set at RAW signifying that Alerts are produced from single logs.
  • The type of sensor that defines the type of log that triggers the rule. Available options are selected from the expandable drop-down select list:
    • Traffic sensor. Any traffic log provided by the device
    • Threat sensor. Any log of threat type as produced by the device
    • Email sensor. Any Email log provided by the device
    • Performance sensor. Performance logs produced by the device
    • Acc_ctrl sensor. Access Control logs produced by the device
  • The produced alert severity level. It is divided into 4 different levels according to the significance of the produced alert. From the most important to the least significant, the levels are critical, high, medium, and low. A progress indicator represents the selected severity level. An extra severity level appears specifically when the threat sensor is selected and is defined by the assigned device.
  • The rule description, which is the description shown in the rules page list.

Context

In the context section the user must specify the following:

  • Time context indicating the time range that the rules conditions apply for. It should be noted that the time context selections apply for predefined intervals/time windows. At current vesrion, if the user selects “1 hour”, time context is set to 1h. If the user selects 1, 7 or 30 days, time context is set to 1d. More specifically, we have for the above two predefined time windows :
    • An hour, for example from 03:00 to 03:59, from 04:00 to 04:59, etc. The time is shown in UTC format. E.g. If the event that fulfills a rule arrives at 18:34, calculations will happen for the time window of 18:00 – 19:00, only starting at 18:34.
    • A calendar day, for example from 00:00 to 23:59. The time is shown in UTC format. E.g. If the event that fulfills a rule arrives at 18:34 21/07/2017, calculations will happen for the time window of 00:00 – 23:59 21/07/2017, only starting at 18:34 21/07/2017.

    After each value interval, the rule conditions internal counters are reset to produce results for the next singleton interval.

  • The devices that the new rule will apply to. The user must select one or more Devices from the multi-select device component. If this field remains blank, the rule will be inactive.
  • A personalized alert message for the alert that will be generated upon the specifications of the current rule. This message is meant to be a personal comment that will allow each user to describe the rule in their own words.
  • A checkbox only available to super administrators can specify the domain of the generated rule; more specifically, the rule can be selected to provide alerts to all users within the organization the super administrator belongs to.

Filtering Conditions

In the filtering conditions section, the user can specify expressions on values of the captured events/logs by specifying the feld of the event, the operator, and the actual/selected value as the accepted threshold for the given event field.

Triggering Conditions

Triggering conditions, when met, describe the conditions that trigger an alert.

In the triggering conditions section, the user can specify expressions on a set of values of the captured events/logs by specifying the field of the event, the statistical function, the operator and the desired value that triggers the condition.

Triggering conditions functions:

  • Total
  • Min
  • Max
  • Occurance
  • Average

When a triggering condition is met in conjunction with the time context it will produce an Alert.

Users may create a rule without any condition, or as many conditions as they need. Only the rules related to the Traffic Type Events should have at least one condition in order to avoid undesired generation of meaningless traffic alerts.