You use the alert rule syntax to define the actions that NSX Network Detection and Response must take when events match a filter.

An alert rule consists of two parts: Matching expression and Actions.

Matching expression

A combination of clauses that express a condition on the attributes of an object.

A matching expression has the following format: object_type . attribute_type: [relation]value

The matching expression consists of the following four parts.
Part Name Description
object_type The object type to be matched. The following record type is supported:
  • network_event

The object type and its attribute is separated by a dot (.).

attribute_type

The attribute to be matched (see Attribute entries).

The object_type.attribute_type is separated from the [relation] and value by a colon (:).

[relation]

The relation between the object and its attribute and the value to match for. If no relation is specified, equality is the default. Supported relation types are:

  • Equality (:)

  • Greater than or equal (>, >=)

  • Less than or equal (<, <=)

value The value to match against the object_type.attribute_type of the incoming events.

Multiple matching expressions are separated by the logical operators AND, OR, and NOT.

Actions

One or more modifications to be performed on the object.

An action has the following format: action : target = value

The action consists of three parts:
Part Name Description
action The action to be performed (see Supported actions). The action and its target are separated by a colon (:).
target The supported target.
value The optional value to apply to the target.

Multiple actions are separated by a comma (,) and are applied in the same order in which they were defined.

Attribute entries

The following list describes the different attribute entries that you can use when creating or updating new filters. The attributes are grouped into the following five categories.
SOURCE
Source Attribute Description
client_ip

Matches an IP address or an IP address range. Address value must be an exact match.

(network_event.client_ip: 142.42.1.6/24)
other_host_hostname

Matches the hostname of the other host associated with the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

(network_event.other_host_hostname: host.example.com)
other_host_in_homenet

If true, matches if the IP address of the other host associated with the event is in the home network. Expects a boolean value.

(network_event.other_host_in_homenet: false)
other_host_ip

Matches an IP address or an IP address range. Address value must be an exact match.

(network_event.other_host_ip: 10.10.4.2)
other_host_tag

Matches a host tag. Select an existing host tag.

(network_event.other_host_tag: tag)
relevant_host_in_homenet

If true, matches if the IP address of the relevant host associated with the event is in the home network. Expects a boolean value.

(network_event.relevant_host_in_homenet: true)
relevant_host_ip

Matches an IP address or an IP address range. Address value must be an exact match.

(network_event.relevant_host_ip: 42.6.7.0/16)
relevant_host_tag

Matches a host tag. Select an existing host tag.

(network_event.relevant_host_tag: tag)
relevant_host_whitelisted

Matches silenced source IP address. Expects a boolean value.

(network_event.relevant_host_whitelisted: true)
server_ip

Matches an IP address or an IP address range. Address value must be an exact match.

(network_event.server_ip: 12.6.6.6)
server_port

Matches a port number. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc.

(network_event.server_port: 7777)
transport_protocol

Matches either "TCP" or "UDP".

(network_event.transport_protocol: UDP)

URL
URL Attribute Description
full_url

Matches at least one URL in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

For example, the query string character ? must be escaped (\?):

(network_event.full_url: https://www.example.com/resource/path\?r=start&v=cK5G8fPmWeA)
normalized_url

Matches at least one normalized URL (a URL without the query string) in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

(network_event.normalized_url: https://www.example.com/resource/path/)
resource_path Matches at least one URL resource path in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

DETECTION
Detection Attribute Description
custom_ids_rule_id

Matches an ID for an IDS rule. The numeric value must be an exact match.

(network_event.custom_ids_rule_id: 987654321)
detector

Matches the name/unique identifier of the module that detected the event. The string value must be an exact match.

(network_event.detector: llrules:1532130206460)
event_outcome

Matches either "DETECTION" or "INFO".

(network_event.event_outcome: DETECTION)
event_type

Matches one of "BINARYDOWNLOAD", "DNS", "DNSANOMALY", "DYNAMICIP", "HTTPANOMALY", "IDS", "IP", "LLANTARULE", "NETFLOW", "NETFLOWANOMALY", "NETWORK", "TLSANOMALY", or "URL".

(network_event.event_type: IDS)
llanta_rule_uuid

Matches the UUID of a system rule. The numeric value must be an exact match.

(network_event.llanta_rule_uuid: b579caeec719415cb04f925f8f187cb0)
operation

Matches one of "BLOCK", "INFO", "LOG", or "TEST".

(network_event.operation: BLOCK)
threat

Matches a valid string defining a threat. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

(network_event.threat: Torn RAT)
threat_class

Matches a threat class. The string value must be an exact match.

(network_event.threat_class: Malicious File Execution)

FILE
File Attribute Description
av_class

Matches at least one av_class analysis tag. The string value must be an exact match.

(network_event.av_class: exploit)
file_category

Matches one of the supported categories of files. The string value must be an exact match.

(network_event.file_category: Java)
file_md5

Matches a valid MD5 sum.

(network_event.file_md5: bb4f64ddfb8704d2bf69b0216be7f837)
file_sha1

Matches a valid SHA1 sum.

(network_event.file_sha1: c3e266ede7f6fec7a021a4ae0edf248848d5ae06)
file_size

Matches a file size in bytes. It must be a valid integer. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc.

(network_event.file_size: > 1042249837)
file_type

Matches a valid string defining a file type. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

(network_event.file_type: ?xecutable)
malware

Matches at least one av_family or lastline_malware analysis tag. The string value must be an exact match.

(network_event.malware: emotet)
malware_activity

Matches at least one activity analysis tag. The string value must be an exact match.

(network_event.malware_activity: Execution: Spawning Powershell with too many parameters)

OTHER
Other Attribute Name Description
custom_tag

Matches a user-defined tag assigned to events. The string value must be an exact match.

(network_event.custom_tag: tagged_event)

Supported actions

The following are the actions that you can use when defining rules.
Action Name Description
demote Demotes the outcome of the matching event to a different mode.

Supported targets: outcome.

Allowed values: "INFO" or "TEST".

impact Set a lower or upper bound on the impact of an event.

Supported targets:

  • impact: Sets the lower and upper bound to the same value.
  • max_impact: Sets the upper bound on impact. Less or equal to value.

  • min_impact: Sets the lower bound on impact. Greater or equal to value.

Allowed values: an integer from 1-100.

suppress Suppresses all threats on the matching event. This results in it being scored as a false positive with an impact of zero (0), which effectively deletes the event.

Supported targets: network_event.

Allowed values: none.

tag Assign a user-defined tag to the matching event.

Supported targets: network_event.

Allowed values: a valid string.