Rules based on aggregate SUM

Rules based on aggregate SUM

Use case Example:

We want to monitor in Real-time if a user sends in the last 24 Hours more than 100MB via Email.

How it will work:

We will create a data monitor which will collect the information from the last X time, and sum the quantity.

After that, we will create a rule that use the audit events of the Data Monitor to check if the value is more than a specific threshold.

Step 1: Create a Data Monitor

Create New Data Monitor, and choose the data monitor type: “Top Value Counts”.

Set the next preference:

  • Value Filed – The field we need to sum (bytes out).
  • Send Audit Events – Set true. It will make a log after any changes.
  • Top entries – Be aware – Only the top entries will be auditing.

Step 2: Create Filter

  • Create a new filter with the next condition:
  • Under Generator choose your Data Monitor resource.
  • Exclude “others” form Device Custom String 1 – “others” is the sum of all the entries that do not exist in the Top entries.

 

Step 3: Create Rule

  • Create New Rule and add the filter from the previous step,
  • Device Custom String1 is the aggregated field value (you can add it under aggregation tab).
  • Device Custom Number1 is the total value, you can use it for condition, for example, user print more than millions of pages, etc.
  • Add your own action.

And you Done.

The rule will fire after a user (or your custom filed) will pass your threshold in the time frame that you set in the data monitor.

Ofek Sher,

ofek@cybersiem.com

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email