Kaspersky Next XDR Expert
1.1.8
Threat detection  >  Working with incidents  >  Segmentation rules

Segmentation rules

Segmentation rules allow you to automatically split related alerts into different incidents based on the conditions that you specify when creating the rules.

Use segmentation rules to create different incidents based on related alerts. For example, you can combine several alerts with an important distinguishing feature into a separate incident.

Alerts can only be linked to an incident that belongs to the same tenant.

When you write a jq expression while creating a segmentation rule, an error about invalid expression may appear though the expression is valid. This error does not block the creation of the segmentation rule. This is a known issue.

To create a segmentation rule:

  1. In the main menu, go to Settings → Tenants.
  2. Click the tenant for which you want to create a segmentation rule.
  3. In the Settings tab, select Segmentation rules.
  4. Click Create.

    A Segmentation rule window appears.

  5. Specify the segmentation rule settings:
    • Status

      Enable or disable the rule.

    • Rule name

      A unique name for the rule. Must contain 1 to 255 Unicode characters.

    • Max alerts in incident

      Maximum number of alerts in a single incident. If the number of alerts exceeds the specified value, another incident is created.

    • Min alerts in incident

      Minimum number of alerts in a single incident. If the number of alerts does not reach the specified value, an incident is not created.

    • Incident name (template)

      A jq expression that defines the template for naming the incidents created according to this segmentation rule.

      Example: "Malware Detected with MD5 \(.Observables[] | select(.Type == "md5") | .Value)"

    • Search interval

      A time interval from which to select alerts and incidents.

    • Description

      Optional. Rule description.

    • Trigger

      A jq expression that defines the condition for including alerts in the incident.

      Example: any(.Rules[]?; .Name == "R077_02_KSC. Malware detected")

    • Groups

      A jq expression that defines the array of string identifiers by which to assign alerts to incidents.

      Example: [.Observables[] | select(.Type == "md5") | .Value ]

  6. Click Save.

The segmentation rule is saved and displayed in the table of segmentation rules. If necessary, you can edit the rule setting by clicking its name in the table.

The rules are prioritized in the table in descending order.

When an alert is created, it is checked by all active segmentation rules in accordance with their priority. After the first rule is triggered, an array of string identifiers is formed for the alert, and the search of the incident to which the alert will be linked, starts.

A rule is triggered, if the jq expression that you have specified in Trigger returns true.

Alerts cannot be linked to manually created incidents.

An incident also has an array of string identifiers, which includes the arrays of the alerts already linked to this incident. If the alert for which the segmentation rule was triggered has at least one element in its array that matches with any of those in the incident's array, the alert is linked to the incident. As a result, the array of this alert is added to the incident's array.

If there are several incidents meeting the condition, the alert is linked to the one with the latest time of update. If there are no incidents with matching elements in arrays, a new incident is created.

When an incident is new, its array is empty. Such incident takes the array of string identifiers from an alert after the alert is linked.

Aggregation rules

You can use aggregation rules to combine correlation events into alerts. We recommend that you use segmentation rules together with aggregation rules for better controllability.

The default XDR behavior is to combine events that have the same rule identifier with the following limitations:

  • By time, within 30 seconds
  • By the number of events, 100
  • By the number of assets, 100
  • By the number of observables, 200
  • By total size of events, 4 MB

You can use REST API to customize aggregation rules.

Aggregation rules. Example

The following table illustrates how to perform pen testing with predetermined IP and user accounts.

Rule 1. Pen testing by IP

Attribute

Value

Description

Priority

0

Highest priority.

Trigger

any(.Observables[]? | select(.Type == "ip") | .Value; . == "10.10.10.10" or . == "10.20.20.20")

Triggers if an alert includes an ip observable with any of the following values:

  • 10.10.10.10
  • 10.20.20.20

Aggregation ID

"Pentest"

Specifies the identifier by which to combine events in an alert.

Alert Name

"[Pentest] " + ([.Rules[]?.Name] | join(","))

Adds the "[Pentest]" tag and the rule name to the alert name. The rule name is from the first aggregated alert, subsequent alerts do not affect the resulting alert name even if they were created by a different rule.

Aggregation Interval

30 seconds

 

Rule 2. Pen testing by user account

Attribute

Value

Description

Priority

1

 

Trigger

any(.Observables[]? | select(.Type | ascii_downcase == "username") | .Value; . == "Pentester-1" or . == "Pentester-2")

Triggers if an alert includes a username observable with any of the following values:

  • Pentester-1
  • Pentester-2

Aggregation ID

"Pentest"

Specifies the identifier by which to combine events in an alert.

Alert Name

"[Pentest] " + ([.Rules[]?.Name] | join(","))

Adds the "[Pentest]" tag and the rule name to the alert name. The rule name is from the first aggregated event, subsequently aggregated events do not affect the resulting alert name.

Aggregation Interval

30 seconds

 

Rule 3. Aggregation rule

Attribute

Value

Description

Priority

2

 

Trigger

.Rules | length > 0

Triggers if the rule list is not empty.

Aggregation ID

([.Rules[].ID // empty] | sort | join(";"))

Combines rule identifiers.

Alert Name

([.Rules[]?.Name // empty] | sort | join(",")) + " " + (.SourceCreatedAt)

Combines rule names and adds the alert creation date.

Aggregation Interval

30 seconds

 

Segmentation rule. Example

Configure the aggregation rules from the Aggregation rules. Example section in this topic.

The following table illustrates how to combine all pen testing alerts in a single incident.

Segmentation rule

Attribute

Value

Trigger

.AggregationID == "Pentest"

Groups

["Pentest"]

Incident Name

"Pentest incident"

Aggregation and segmentation rules. Example

The following table illustrates how to combine alerts that have the same rule id in two incidents based on the user name prefix.

Aggregation rule

Attribute

Value

Description

Trigger

any(.Rules[]?; .ID == "123")

Searches alerts with the rule id set to "123".

Aggregation ID

if any(.OriginalEvents[]?.BaseEvents[]?.DestinationUserName // empty; startswith("adm_")) then "rule123_DestinationUserName_adm" else "rule123_DestinationUserName_not_adm" end

Searches for user names with the "adm_" prefix.

Alert Name

if any(.OriginalEvents[]?.BaseEvents[]?.DestinationUserName // empty; startswith("adm_")) then "Rule123 admin" else "Rule123 not admin" end

Sets the alert name depending on the user name prefix.

Segmentation rule

Attribute

Value

Trigger

.AggregationID | startswith("rule123_DestinationUserName")

Groups

[.AggregationID]

Incident Name

.Name

Article ID: 268028, Last review: Nov 18, 2024
Page top