Version:

Viewing Alert Rules

To access alert rules, go to Settings >> Knowledge Base from the navigation bar and click Alert Rules. Here, you can choose to view the alert rules in either Tabular View or Coverage View.

../_images/LP_KB_AlertRules_List_View.png

Alert Rules

../_images/LP_KB_AlertRules_View_Dropdown.png

Alert Rules View Dropdown

Tabular View

This is the default view for alert rules where you can see all the active alert rules with their Log Source, Attack Category, and Attack Tag in a table. The Name column also includes a tag that indicates whether the alert is active or inactive. You can display all alert rules under All Rules, My Rules, Used Rules, Vendor Rules, Shared Rules, and Transferred Rules in one place.

For example, in the image below, alert rule LP_ZxShell Malware Detected helps to identify T1059 - Command and Scripting Interpreter and T1218.011 - Rundll32 technique under Execution and Defense Evasion Category. It is currently inactive as it does not have Active tag under its Name.

You can also use Actions to either use, clone, activate, deactivate, delete, set notifications, or get more details about the alert rule.

../_images/LP_KB_AlertRules_List_Tabular.png

Tabular View of Alert Rules

To sort the columns in ascending or descending order, move your cursor to the column you want to sort. Click the Down Arrow (DownArrow) for ascending order and the Up Arrow (UpArrow) for descending order.

../_images/LP_KB_AlertRules_Sort.png

Sort Columns

Tabular View Actions

For each alert rule, you can perform various actions, such as setting up notifications, activating or deactivating, sharing, transferring, cloning, deleting, and searching.

Setting Up Alert Notifications

To set up alert notifications, click the Setup Notification (Notification_Disabled) icon of the corresponding alert rule. The solid bell icon (Notification_Enabled) under Actions indicates notification-enabled alert rules, while the outline bell icon (Notification_Disabled) indicates notification-disabled alert rules. The SETUP NOTIFICATIONS lets you configure the alert notification for Email Notification, SNMP Notification, HTTP Notification, SMS Notification and SSH Notification. To configure the alert notifications, go to Setting Up Alert Notifications.

Activating or De-activating Alert Rules

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Click the Activate alert rule (Activatealertrule) icon under Actions.

    1. To activate multiple alert rules, select the alert rules. Click the MORE dropdown and select Activate Selected Alert Rules.

    2. To activate all the alert rules, click Select All. Click the MORE dropdown and select Activate All Alert Rules.

You can De-activate the alert rules using the same method.

Sharing Alert Rules

You can share alert rules with different users and give them read, edit, or full permissions. Incidents for each shared user and owner are triggered independently.

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Select My Rules from the dropdown.

  3. Click the Share/Unshare to Other Users (shared) icon under Actions for the alert rule. The Unshared. Click to Share (unshared) icon appears if you have not shared the alert rule previously.

    1. To share multiple alert rules, select the alert rules. Click the MORE dropdown and select Share Selected Alert Rules With Users.

    2. To share all the alert rules, click Select All. Go to the MORE dropdown and select Share All Alert Rules With Users.

  4. Select a User Group. All the users in the user group are listed in the dropdown.

  5. Select Read, Edit, or Full permissions for the users. The read permission allows a user to use and clone the alert rules; the edit permission allows a user to use, clone, and edit the alert rules; and the full permission allows a user to use, clone, edit, remove, and share the alert rules.

../_images/LP_KB_AR_ShareUsers_Dialogbox.png

Selecting Permissions for Users

  1. Click Submit

You can unshare alert rules with the users using the same method.

Using Shared Alert Rules

If a user does not have access to a repo used in a shared alert rule, the incident is triggered from other selected repos. If only one repo is selected in the shared alert rule, and the user does not have access to the repo, the incident is not triggered.

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Select Shared Rules from the dropdown.

  3. Click the Use icon under Actions.

    ../_images/LP_KB_AR_SharedRules.png

    Using a Shared Alert Rule

    1. To use multiple alert rules, select the alert rules. Click the MORE dropdown and select Use Selected Alert Rules.

    2. To use all the alert rules, go to the MORE dropdown and select Use All Alert Rules.

Cloning Shared Alert Rules

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Select Shared Rules from the dropdown.

  3. Click the Clone (clone) icon under Actions.

    1. To clone multiple alert rules, select the alert rules. Click the More dropdown and select Clone Selected Alert Rules.

    2. To use all the alert rules, go to the More dropdown and select Clone All Alert Rules.

  4. Enter a new Name for the cloned rule.

  5. Select the Replace Existing? checkbox to replace an existing rule with the same name.

  6. Click Clone.

Transfer Ownership of Alert Rules

You can transfer alert rule ownership from one user to another. It is important to transfer alert rule ownership when a user who owns alert rules needs to be deleted. This is also relevant when a user becomes part of a different User Group and no longer needs to own the same alert rules.

To transfer the ownership of Alert Rules:

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Click My Rules from the dropdown next to +Add.

  3. Click the right hand pointer icon (transfer) under the Actions column of the alert rule.

    1. To transfer ownership of multiple alert rules, select them. Click the MORE dropdown and select Transfer Ownership of Selected Rules.

    2. To transfer ownership of all alert rules, click Select. Click the MORE dropdown and All select Transfer Ownership of All Rules.

  4. Select a User from the dropdown.

  5. Click OK.

  6. To view transferred alert rules, go to Settings >> Knowledge Base >> Alert Rules. Click Used Rules from the dropdown and go to Transferred Rules.

Transfer Ownership When Deleting Shared Alert Rule’s Owner

When you delete a user who has shared alert rules you must delete the shared alert rule or transfer the alert rule’s ownership to another user.

  1. Go to Settings >> User Accounts from the navigation bar and click Users.

  2. De-activate the user by clicking the De-Activate User icon under Actions.

  3. Click Manage De-Activated Users.

  4. Click the Delete icon under Actions.

  5. Click Yes.

  6. To transfer the ownership, select a user from the list of active users in the dropdown and click Submit.

  7. To delete the user and user’s alert rule without transferring their ownership, click Delete.

Cloning Alert Rules

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Click the Clone Alert Rule (clone) icon under Actions for the rule.

    1. To clone multiple alert rules, select the alert rules. Click the MORE dropdown and select Clone Selected Alert Rules.

    2. To clone all the alert rules, click Select All. Go to the MORE dropdown and select Clone All Alert Rules.

  3. Enter a new Name for the cloned rule.

  4. Check the Replace Existing? checkbox to replace an existing rule with the same name.

  5. Click Clone.

Deleting Alert Rules

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Click the Delete icon (delete) under Actions for the rule.

    1. To delete multiple alert rules, select the alert rules. Click the MORE dropdown and select Delete Selected Alert Rules.

    2. To delete all the alert rules, click Select All. Go to the MORE dropdown and select Delete All Alert Rules.

  3. Click Yes.

Searching query used in Alert Rule

You can search the query used in the alert rule. It redirects you to the Logpoint search with the query, repo, and time-range auto-filled in the search.

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Click the Search icon (search) under Actions for the rule.

You will be redirected to the search page in new tab.

../_images/LP_KB_AR_Search_Page.png

Search page with query used in an Alert Rule

Coverage View

You can use COVERAGE VIEW to display the categorization of the alert rules based on attack categories and the attack technique of the MITRE attack framework. It is useful to know which alert rules are used to protect from which MITRE attack category.

For example, in the image below, you can see which alert rule is active to protect from Phishing attacks under the Initial Access category. You can drill down each category and technique to see all the alert rules that can detect that specific attack technique. You can also activate the alert rule if it is not active.

../_images/LP_KB_AlertRules_List_Coverage.png

Coverage View of Alert Rules

You can click the attack technique to view the list of its corresponding alert rules. Use this view to see the ratio between the total number of active alert rules compared with the total number of alert rules. The fraction is highlighted in green.

../_images/LP_KB_AlertRules_List_Coverage_popup.png

List of Alert Rules Associated with the Attack Tag

Click the help (helpicon) icon to view the description of the attack tag associated with the attack techniques and sub-techniques of the MITRE attack framework.

../_images/LP_KB_AlertRules_List_Coverage_Description.png

Description of the Attack Tag

View Actions

Both the tabular and coverage views include an action bar you can use to:

Add

Allows you to create a new alert rule using the alert creation wizard. Go to Creating an Alert Rule for more details.

Import

It allows you to import alert rules from the stored location. While importing alert rules, only the repos from the alert rules exported from Lopoint are selected.

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Click IMPORT.

  3. Browse to the Alert Rules. You can only import alert rules exported from Logpoint with .pak extension.

  4. Click Submit.

Export

You can only export alert ruled from tabular view. The exported alert rules .pak file also contains the repo configuration of the alert rules. To export alert rules:

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

  2. Select My Rules from the dropdown and select the alert rules that you want to export.

  3. Click EXPORT.

Filter Active Rules

Allows you to view only the active alert rules by selecting the checkbox. This checkbox is only available for tabular view. It is selected by default.

Select Log Source

Allows you to filter the alert rules according to the log sources using the dropdown. The dropdown is only available for tabular view.

MORE

In TABULAR VIEW, use the MORE dropdown at the top-right corner to:

../_images/LP_KB_AlertRules_Columns.png

MORE

  • Activate Selected Alert Rules lets you activate multiple alert rules at once.

  • Deactivate Selected Alert Rules lets you deactivate multiple alert rules at once.

  • Setup Notifications of Selected Alert Rules lets you configure alert notification for multiple alerts at once. Refer to Setting Up Alert Notifications for more details.

  • Columns lets you filter if you want to display Attack Category and Attack Tag in the UI.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support