Alert Rule Syntax

You use the alert rule syntax to define the actions that NSX Network Detection and Response must take when events match a filter.

An alert rule consists of two parts: Matching expression and Actions.

Matching expression

A combination of clauses that express a condition on the attributes of an object.

A matching expression has the following format: object_type . attribute_type: [relation]value

The matching expression consists of the following four parts.

Part Name	Description
object_type	The object type to be matched. The following record type is supported: network_event The object type and its attribute is separated by a dot (`.`).
attribute_type	The attribute to be matched (see Attribute entries). The object_type.attribute_type is separated from the [relation] and value by a colon (`:`).
[relation]	The relation between the object and its attribute and the value to match for. If no relation is specified, equality is the default. Supported relation types are: Equality (`:`) Greater than or equal (`>`, `>=`) Less than or equal (`<`, `<=`)
value	The value to match against the object_type.attribute_type of the incoming events.

Multiple matching expressions are separated by the logical operators AND, OR, and NOT.

Actions

One or more modifications to be performed on the object.

An action has the following format: action : target = value

The action consists of three parts:

Part Name	Description
action	The action to be performed (see Supported actions). The action and its target are separated by a colon (`:`).
target	The supported target.
value	The optional value to apply to the target.

Multiple actions are separated by a comma (,) and are applied in the same order in which they were defined.

Attribute entries

The following list describes the different attribute entries that you can use when creating or updating new filters. The attributes are grouped into the following five categories.

SOURCE

Source Attribute	Description
`client_ip`	Matches an IP address or an IP address range. Address value must be an exact match. `(network_event.client_ip: 142.42.1.6/24)`
`other_host_hostname`	Matches the hostname of the other host associated with the event. Wildcard comparisons are supported: `` for multiple characters, `?` for single characters. You must escape (`\`) the wildcard characters to match a literal `` or `?`. `(network_event.other_host_hostname: host.example.com)`
`other_host_in_homenet`	If true, matches if the IP address of the other host associated with the event is in the home network. Expects a boolean value. `(network_event.other_host_in_homenet: false)`
`other_host_ip`	Matches an IP address or an IP address range. Address value must be an exact match. `(network_event.other_host_ip: 10.10.4.2)`
`other_host_tag`	Matches a host tag. Select an existing host tag. `(network_event.other_host_tag: tag)`
`relevant_host_in_homenet`	If true, matches if the IP address of the relevant host associated with the event is in the home network. Expects a boolean value. `(network_event.relevant_host_in_homenet: true)`
`relevant_host_ip`	Matches an IP address or an IP address range. Address value must be an exact match. `(network_event.relevant_host_ip: 42.6.7.0/16)`
`relevant_host_tag`	Matches a host tag. Select an existing host tag. `(network_event.relevant_host_tag: tag)`
`relevant_host_whitelisted`	Matches silenced source IP address. Expects a boolean value. `(network_event.relevant_host_whitelisted: true)`
`server_ip`	Matches an IP address or an IP address range. Address value must be an exact match. `(network_event.server_ip: 12.6.6.6)`
`server_port`	Matches a port number. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc. `(network_event.server_port: 7777)`
`transport_protocol`	Matches either "TCP" or "UDP". `(network_event.transport_protocol: UDP)`

URL

URL Attribute Description

URL Attribute	Description
`full_url`	Matches at least one URL in the event. Wildcard comparisons are supported: `` for multiple characters, `?` for single characters. You must escape (`\`) the wildcard characters to match a literal `` or `?`. For example, the query string character `?` must be escaped (`\?`): `(network_event.full_url: https://www.example.com/resource/path\?r=start&v=cK5G8fPmWeA)`
`normalized_url`	Matches at least one normalized URL (a URL without the query string) in the event. Wildcard comparisons are supported: `` for multiple characters, `?` for single characters. You must escape (`\`) the wildcard characters to match a literal `` or `?`. `(network_event.normalized_url: https://www.example.com/resource/path/)`
`resource_path`	Matches at least one URL resource path in the event. Wildcard comparisons are supported: `` for multiple characters, `?` for single characters. You must escape (`\`) the wildcard characters to match a literal `` or `?`.

full_url

Matches at least one URL in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

For example, the query string character ? must be escaped (\?):

(network_event.full_url: https://www.example.com/resource/path\?r=start&v=cK5G8fPmWeA)

normalized_url

Matches at least one normalized URL (a URL without the query string) in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

(network_event.normalized_url: https://www.example.com/resource/path/)

resource_path Matches at least one URL resource path in the event. Wildcard comparisons are supported: * for multiple characters, ? for single characters. You must escape (\) the wildcard characters to match a literal * or ?.

DETECTION

Detection Attribute	Description
`custom_ids_rule_id`	Matches an ID for an IDS rule. The numeric value must be an exact match. `(network_event.custom_ids_rule_id: 987654321)`
`detector`	Matches the name/unique identifier of the module that detected the event. The string value must be an exact match. `(network_event.detector: llrules:1532130206460)`
`event_outcome`	Matches either "DETECTION" or "INFO". `(network_event.event_outcome: DETECTION)`
`event_type`	Matches one of "BINARYDOWNLOAD", "DNS", "DNSANOMALY", "DYNAMICIP", "HTTPANOMALY", "IDS", "IP", "LLANTARULE", "NETFLOW", "NETFLOWANOMALY", "NETWORK", "TLSANOMALY", or "URL". `(network_event.event_type: IDS)`
`llanta_rule_uuid`	Matches the UUID of a system rule. The numeric value must be an exact match. `(network_event.llanta_rule_uuid: b579caeec719415cb04f925f8f187cb0)`
`operation`	Matches one of "BLOCK", "INFO", "LOG", or "TEST". `(network_event.operation: BLOCK)`
`threat`	Matches a valid string defining a threat. Wildcard comparisons are supported: `` for multiple characters, `?` for single characters. You must escape (`\`) the wildcard characters to match a literal `` or `?`. `(network_event.threat: Torn RAT)`
`threat_class`	Matches a threat class. The string value must be an exact match. `(network_event.threat_class: Malicious File Execution)`

FILE

File Attribute	Description
`av_class`	Matches at least one `av_class` analysis tag. The string value must be an exact match. `(network_event.av_class: exploit)`
`file_category`	Matches one of the supported categories of files. The string value must be an exact match. `(network_event.file_category: Java)`
`file_md5`	Matches a valid MD5 sum. `(network_event.file_md5: bb4f64ddfb8704d2bf69b0216be7f837)`
`file_sha1`	Matches a valid SHA1 sum. `(network_event.file_sha1: c3e266ede7f6fec7a021a4ae0edf248848d5ae06)`
`file_size`	Matches a file size in bytes. It must be a valid integer. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc. `(network_event.file_size: > 1042249837)`
`file_type`	Matches a valid string defining a file type. Wildcard comparisons are supported: `` for multiple characters, `?` for single characters. You must escape (`\`) the wildcard characters to match a literal `` or `?`. `(network_event.file_type: ?xecutable)`
`malware`	Matches at least one `av_family` or `lastline_malware` analysis tag. The string value must be an exact match. `(network_event.malware: emotet)`
`malware_activity`	Matches at least one activity analysis tag. The string value must be an exact match. `(network_event.malware_activity: Execution: Spawning Powershell with too many parameters)`

OTHER

Other Attribute Name	Description
`custom_tag`	Matches a user-defined tag assigned to events. The string value must be an exact match. `(network_event.custom_tag: tagged_event)`

Supported actions

The following are the actions that you can use when defining rules.

Action Name	Description
`demote`	Demotes the outcome of the matching event to a different mode. Supported targets: `outcome`. Allowed values: "INFO" or "TEST".
`impact`	Set a lower or upper bound on the impact of an event. Supported targets: `impact`: Sets the lower and upper bound to the same value. `max_impact`: Sets the upper bound on `impact`. Less or equal to value. `min_impact`: Sets the lower bound on `impact`. Greater or equal to value. Allowed values: an integer from 1-100.
`suppress`	Suppresses all threats on the matching event. This results in it being scored as a false positive with an impact of zero (0), which effectively deletes the event. Supported targets: `network_event`. Allowed values: none.
`tag`	Assign a user-defined tag to the matching event. Supported targets: `network_event`. Allowed values: a valid string.