-
Notifications
You must be signed in to change notification settings - Fork 71
Implementing Rules
Osmany Montero edited this page Jan 16, 2026
·
1 revision
Rules are YAML definitions used by the Analysis plugin to detect security threats and generate alerts.
A typical rule includes metadata, conditions, and correlation logic:
- id: 1
name: "Suspicious Login Pattern"
description: "Detects multiple failed logins followed by a success."
category: "Authentication"
technique: "Brute Force"
dataTypes:
- google
impact:
confidentiality: 0
integrity: 0
availability: 3
adversary: origin
references:
- https://attack.mitre.org/techniques/T1110/
where: equals("origin.geolocation.country", "United States")
afterEvents:
- indexPattern: v11-log-*
with:
- field: origin.ip.keyword
operator: filter_term
value: '{{origin.ip}}'
within: now-12h
count: 5
deduplicateBy:
- adversary.ip| Field | Description |
|---|---|
id |
Unique identifier for the rule. |
dataTypes |
Array of log types this rule applies to. |
name |
Human-readable name shown in alerts. |
impact |
Scoring for Confidentiality, Integrity, and Availability (0-5). |
where |
A CEL expression that must return true for the rule to trigger. |
afterEvents |
(Optional) Correlation logic to search for related events. |
deduplicateBy |
Fields used to group similar alerts to avoid fatigue. |
- Reception: An event is received from the Parsing stage.
-
Filtering: The engine selects rules matching the event's
dataType. -
Expression: The
whereclause is evaluated using Common Expression Language (CEL). -
Correlation: If
whereis true, theafterEventssearches are executed against OpenSearch. -
Alerting: If all conditions (including
count) are met, a new alert is generated.
You can reference fields from the triggering event using the {{path.to.field}} syntax. This is primarily used within the with clauses of afterEvents:
with:
- field: origin.user.keyword
operator: filter_term
value: '{{origin.user}}'For complex logic, see Advanced Features.