You use the alert rule syntax to define the actions that NSX Network Detection and Response must take when events match a filter.
An alert rule consists of two parts: Matching expression and Actions.
- Matching expression
-
A combination of clauses that express a condition on the attributes of an object.
A matching expression has the following format:
object_type . attribute_type: [relation]value
The matching expression consists of the following four parts.Part Name Description object_type The object type to be matched. The following record type is supported: - network_event
The object type and its attribute is separated by a dot (
.
).attribute_type The attribute to be matched (see Attribute entries).
The object_type.attribute_type is separated from the [relation] and value by a colon (
:
).[relation] The relation between the object and its attribute and the value to match for. If no relation is specified, equality is the default. Supported relation types are:
-
Equality (
:
) -
Greater than or equal (
>
,>=
) -
Less than or equal (
<
,<=
)
value The value to match against the object_type.attribute_type of the incoming events. Multiple matching expressions are separated by the logical operators
AND
,OR
, andNOT
. - Actions
-
One or more modifications to be performed on the object.
An action has the following format:
action : target = value
The action consists of three parts:Part Name Description action The action to be performed (see Supported actions). The action and its target are separated by a colon ( :
).target The supported target. value The optional value to apply to the target. Multiple actions are separated by a comma (
,
) and are applied in the same order in which they were defined.
Attribute entries
- SOURCE
-
Source Attribute Description client_ip
Matches an IP address or an IP address range. Address value must be an exact match.
(network_event.client_ip: 142.42.1.6/24)
other_host_hostname
Matches the hostname of the other host associated with the event. Wildcard comparisons are supported:
*
for multiple characters,?
for single characters. You must escape (\
) the wildcard characters to match a literal*
or?
.(network_event.other_host_hostname: host.example.com)
other_host_in_homenet
If true, matches if the IP address of the other host associated with the event is in the home network. Expects a boolean value.
(network_event.other_host_in_homenet: false)
other_host_ip
Matches an IP address or an IP address range. Address value must be an exact match.
(network_event.other_host_ip: 10.10.4.2)
other_host_tag
Matches a host tag. Select an existing host tag.
(network_event.other_host_tag: tag)
relevant_host_in_homenet
If true, matches if the IP address of the relevant host associated with the event is in the home network. Expects a boolean value.
(network_event.relevant_host_in_homenet: true)
relevant_host_ip
Matches an IP address or an IP address range. Address value must be an exact match.
(network_event.relevant_host_ip: 42.6.7.0/16)
relevant_host_tag
Matches a host tag. Select an existing host tag.
(network_event.relevant_host_tag: tag)
relevant_host_whitelisted
Matches silenced source IP address. Expects a boolean value.
(network_event.relevant_host_whitelisted: true)
server_ip
Matches an IP address or an IP address range. Address value must be an exact match.
(network_event.server_ip: 12.6.6.6)
server_port
Matches a port number. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc.
(network_event.server_port: 7777)
transport_protocol
Matches either "TCP" or "UDP".
(network_event.transport_protocol: UDP)
- URL
-
URL Attribute Description full_url
Matches at least one URL in the event. Wildcard comparisons are supported:
*
for multiple characters,?
for single characters. You must escape (\
) the wildcard characters to match a literal*
or?
.For example, the query string character
?
must be escaped (\?
):(network_event.full_url: https://www.example.com/resource/path\?r=start&v=cK5G8fPmWeA)
normalized_url
Matches at least one normalized URL (a URL without the query string) in the event. Wildcard comparisons are supported:
*
for multiple characters,?
for single characters. You must escape (\
) the wildcard characters to match a literal*
or?
.(network_event.normalized_url: https://www.example.com/resource/path/)
resource_path
Matches at least one URL resource path in the event. Wildcard comparisons are supported: *
for multiple characters,?
for single characters. You must escape (\
) the wildcard characters to match a literal*
or?
. - DETECTION
-
Detection Attribute Description custom_ids_rule_id
Matches an ID for an IDS rule. The numeric value must be an exact match.
(network_event.custom_ids_rule_id: 987654321)
detector
Matches the name/unique identifier of the module that detected the event. The string value must be an exact match.
(network_event.detector: llrules:1532130206460)
event_outcome
Matches either "DETECTION" or "INFO".
(network_event.event_outcome: DETECTION)
event_type
Matches one of "BINARYDOWNLOAD", "DNS", "DNSANOMALY", "DYNAMICIP", "HTTPANOMALY", "IDS", "IP", "LLANTARULE", "NETFLOW", "NETFLOWANOMALY", "NETWORK", "TLSANOMALY", or "URL".
(network_event.event_type: IDS)
llanta_rule_uuid
Matches the UUID of a system rule. The numeric value must be an exact match.
(network_event.llanta_rule_uuid: b579caeec719415cb04f925f8f187cb0)
operation
Matches one of "BLOCK", "INFO", "LOG", or "TEST".
(network_event.operation: BLOCK)
threat
Matches a valid string defining a threat. Wildcard comparisons are supported:
*
for multiple characters,?
for single characters. You must escape (\
) the wildcard characters to match a literal*
or?
.(network_event.threat: Torn RAT)
threat_class
Matches a threat class. The string value must be an exact match.
(network_event.threat_class: Malicious File Execution)
- FILE
-
File Attribute Description av_class
Matches at least one
av_class
analysis tag. The string value must be an exact match.(network_event.av_class: exploit)
file_category
Matches one of the supported categories of files. The string value must be an exact match.
(network_event.file_category: Java)
file_md5
Matches a valid MD5 sum.
(network_event.file_md5: bb4f64ddfb8704d2bf69b0216be7f837)
file_sha1
Matches a valid SHA1 sum.
(network_event.file_sha1: c3e266ede7f6fec7a021a4ae0edf248848d5ae06)
file_size
Matches a file size in bytes. It must be a valid integer. Integer comparisons are performed: equality, inequality, greater-than, less-than, etc.
(network_event.file_size: > 1042249837)
file_type
Matches a valid string defining a file type. Wildcard comparisons are supported:
*
for multiple characters,?
for single characters. You must escape (\
) the wildcard characters to match a literal*
or?
.(network_event.file_type: ?xecutable)
malware
Matches at least one
av_family
orlastline_malware
analysis tag. The string value must be an exact match.(network_event.malware: emotet)
malware_activity
Matches at least one activity analysis tag. The string value must be an exact match.
(network_event.malware_activity: Execution: Spawning Powershell with too many parameters)
- OTHER
-
Other Attribute Name Description custom_tag
Matches a user-defined tag assigned to events. The string value must be an exact match.
(network_event.custom_tag: tagged_event)
Supported actions
Action Name | Description |
---|---|
demote |
Demotes the outcome of the matching event to a different mode. Supported targets: Allowed values: "INFO" or "TEST". |
impact |
Set a lower or upper bound on the impact of an event. Supported targets:
Allowed values: an integer from 1-100. |
suppress |
Suppresses all threats on the matching event. This results in it being scored as a false positive with an impact of zero (0), which effectively deletes the event. Supported targets: Allowed values: none. |
tag |
Assign a user-defined tag to the matching event. Supported targets: Allowed values: a valid string. |