Creating aggregation rules

Expand all | Collapse all

Aggregation rules help you to combine repetitive events of other Kaspersky solutions into Open Single Management Platform alerts.

To create aggregation rules, you must have one of the following XDR roles: Main administrator, Tenant administrator, SOC administrator.

To create an aggregation rule:

1. In the main menu, go to Settings → Tenants.

   The tenant list opens. The list contains only the tenants to which you have at least the Read access right.

2. Click the name of the required tenant.

   The tenant's properties window opens.

3. Select the Settings tab, and then click Aggregation rules.

   The list of aggregation rules opens.

4. Click the Create button.

   The Create aggregation rule window opens.

5. In the Status field, enable the aggregation rule you want to create.

   By default, the rule is disabled.

6. In the Rule name field, specify the aggregation rule name.

   The rule name must be unique.

7. In the Max events in alert field, specify the maximum number of events combined in an alert.

   The value must be between 1 and 100. The default value is 100.

8. In the Aggregation interval (sec) field, specify the searching interval in minutes or seconds.

   The maximum value is 1500 seconds. The default value is 30.

9. If necessary, in the Description field, specify a description of the aggregation rule.
10. In the Aggregation ID section, specify the jq expression by which the events will be combined into an alert.

    If necessary, you can copy the aggregation ID from another aggregation rule. To do that, click the Copy from another rule button.

    Example of the jq expression for the Aggregation ID section

    if any(.OriginalEvents[]?.BaseEvents[]?.DestinationUserName // empty; startswith("adm_")) then "bruteforce_DestinationUserName_adm" else "bruteforce_DestinationUserName_not_adm" end

11. In the Alert name section, specify the jq expression that defines the template that will be used to create the name of the new alert.

    By default, the following expression is specified: ([.Rules[]?.Name // empty] | sort | join(",")) + " " + (.SourceCreatedAt)

    When creating a new alert, the name is generated from the values of the fields specified in the template.

    If necessary, you can copy the jq expression for the Alert name section from another aggregation rule. To do that, click the Copy from another rule button.

    Example of the jq expression for the Alert name section

    if any(.OriginalEvents[]?.BaseEvents[]?.DestinationUserName // empty; startswith("adm_")) then "Brute force admin" else "Brute force not admin" end

12. In the Trigger section, specify the jq expression that defines the condition for creating an alert from an event.

    If necessary, you can copy the jq expression for the Trigger section from another aggregation rule. To do that, click the Copy from another rule button.

    Example of the jq expression for the Trigger section

    .AggregationID | startswith("bruteforce_DestinationUserName")

13. Click the Create button.

The aggregation rule is created.

By default, the aggregation rule is created with the lowest priority. To change the aggregation rule priority, in the list of aggregation rules, drag and drop the rule by clicking its name. The higher the rule is in the list of aggregation rules, the higher its priority.

Page top