TWTQ: Applying rule to select users

TWTQ: Applying rule to select users

Hey everyone!
Here's This Week's Top Query (TWTQ):

Q: I want to apply my correlation rule to a specific set of users. How do I do this?

 

A: When you wish to apply a correlation rule to a specific set of entities (users, devices, etc.), you can make use of the field-based filters within the rule.

If this is for a rule you're building from scratch, go to:

Correlation -> Manage rules -> +Create rule


If this is for an existing rule, go to:

Correlation -> Manage rules -> Selecting the Update icon next to the required rule

A correlation rule is made up of a sequence of events, or actions. Let's say you want the rule to apply to a few specific users:
  • Click on 'Advanced' for the first action in the rule.
  • Select the filter icon next to the 'Username' field.
  • Under the 'Filter' tab, click on '+Add new criteria'
  • Select 'equals' in the dropdown and type in one of the usernames.
  • Keep clicking on '+Add new criteria' and repeating the previous step until you've covered all the required users.
  • Click on Save.


When you provide multiple 'equals' conditions, you're basically giving EventLog Analyzer a list of values to check for. You can apply the same steps to any of the other fields, like device name, process name, etc.