circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Notification Rules

Notification Rules are conditions that determine when the NDR generates alerts for network activity. You can create, edit, or delete rules, specify which events trigger notifications, set severity levels, assign categories, and enable or disable rules for efficient tracking of network activities and whitelist irrelevant notifications.

hashtag
Creating a New Rule

  1. Select an Action to set the purpose of the rule.

    1. Whitelist: Removes matched notifications from the dashboard for future events.

    2. New severity: Updates future matching notifications with a different severity level. Meaning either upgrading or downgrading the severity

    3. Disable NDR AI Prevent: Prevents NDR AI Prevent from executing for the matched notification. Other actions (Whitelist, New Severity, Set Default Acknowledgement) will still apply.

    4. Set Default Acknowledgement: Sets the acknowledgement state automatically when the rule is triggered. Options include Unacknowledged, False Positive, Benign True Positive, and Malicious True Positive.

  2. Enter or select a Rank. A rank is a number between 1 and 100. Rules are evaluated in ascending order. Rank 1 is evaluated first. Rank 100 is considered last. Only the first matching rule executes. Unless the rule is Disable NDR AI Prevent, the next matching rule is also evaluated. Assign lower Rank values to more specific rules.

    For example, a rule targeting a specific IP, category, and notification description must be evaluated before a broader rule that matches an entire network and category. If two rules share the same Rank and match a notification, it is unspecified which rule is applied.

  3. Enter IP addresses for Source and Destination hosts. Click the Match Type dropdown to choose how to compare your entry. Match Type defines the rule for comparing your input with notification data.

  4. In Networks, select one or multiple networks. Enable Exclude to specify which networks must be excluded.

  5. In Network Groups, select one or multiple groups. Enable Exclude to specify which network groups must be excluded. By default, the rule applies to all networks. If a network is excluded, the rule ignores traffic or events from that network. If a network is listed as both included or excluded, NDR considers it to be excluded.

  6. Enter and select a notification category in Category. Enter a category name, for example Address Scan Detected to filter notifications by type.

  7. Add a description in Notification description. Enter a keyword to filter notifications based on their description text. Use Match Type to control whether the system looks for an exact match, partial match, or pattern-based match.

  8. Select a time window in Specify time windows.

  9. Add a note to describe the notification rule.

  10. Enable the notification rule.

11. Click Add to save the rule.

hashtag
Time Windows

You can control a rule's activity using time windows. If no time window is set, the rule remains active continuously.

  • Use Include to define active periods.

  • Use Exclude to define inactive periods.

  • Exclude takes precedence if both are configured.

Two types of time windows are available:

  • One-Time Window: Select a specific time range using the "From" and "To" date pickers. The time is based on your local time zone.

  • Recurring Time Window: Define a schedule using a cron expression and a duration.

    • You can generate the expression using dropdowns or type it manually (in UTC).

    • Note: Characters #, L, and W are not supported.

Click Validate to check the time window configuration.

hashtag
Match Type

Match type defines how the NDR compares the value you enter, such as an IP address or category, with notification data. It determines whether the system searches for an exact match, partial match, or pattern-based match.

For Source, Destination, Category, and Notification Description, choose one of the following match types:

  • Contains: True if the value matches the notification.

  • Exact: True only if both values match exactly.

  • In: Accepts a list of values (newline or pipe-separated).

  • Regex: Accepts a custom regular expression. Regex syntax | Test regex

For Source/Destination, additional match types include:

  • IP Range a single or multiple (comma separated) IP range(s) separated by dash. Example: 192.168.0.0-192.168.1.255 or 192.168.0.0-192.168.1.255,192.168.1.2-192.168.1.4

  • CIDR match by defining one or more (comma separated) subnets using CIDR format. Example: 192.168.0.0/16 or 192.168.0.0/16,125.0.0.0/20

  • ASN match by specifying a single ASN or multiple, comma separated, ASNs that define a group of IP prefixes. Example: 234 or 234,15,54

  • Domain rule only applies if domain matches the specified pattern.

    • The pattern is NOT case sensitive.

    • Star symbol matches a single domain level.

    • *.microsoft.com -> matches all domains on the format x.microsoft.com

    • Comma separated. Example: microsoft.com, windows.com -> rule applies if notification contains one of the domains.

hashtag
Testing the Rule

Click Test to evaluate how a rule performs over a selected time range. The result shows how many notifications would have matched.

The Count field reflects the number of matched notifications. Recheck after some time to verify results.

hashtag
Editing an Existing Rule

To modify a rule:

  • Open the Active Rules list and click Edit.

  • Apply changes and use the Test button to preview its impact on previous data.

Note: If the rule is a whitelist rule, previously matched notifications are discarded permanently. This may result in a zero match count during testing.

Important: Notifications are tagged to networks based on the network configuration at the time of generation. Changing the configuration later does not reassign old notifications.

For example, if a rule applies to Network1 and that network's IP range expands from /24 to /16, the new notifications will match the updated network, but old ones outside the original range will not. Thus, the Test button will not reflect these changes.

hashtag
Import and Export Rules

You can copy rules between sensors using the Import and Export functions.

  • To export a rule, click Export when editing or creating a rule. It is copied to your clipboard.

  • To import, click Import on the new sensor. The clipboard contents will populate the form. Click Save to finalize.

If the clipboard content is invalid, an error message will appear.

hashtag
Examples

Example 1 – Whitelist 'Traceroute detected' notifications for subnet 192.168.15.*:

  • Create a new rule

  • Set Rank to a value between 1–100

  • Set Action to Whitelist

  • Set Category to Traceroute detected, Match Type: Exact

  • Set Notification Description to 192.168.15, Match Type: Contains

  • Click Add

Example 2 – Change severity of 'Address scan detected' to High:

  • Create a new rule

  • Set Rank to a value between 1–100

  • Set Action to New Severity Level → High

  • Set Category to Address scan detected, Match Type: Exact

  • Leave Notification Description empty

  • Click Add

Example 3 – Whitelist domain 'nr-data.net' for 'Blacklist match domain':

  • Create a new rule

  • Set Rank to a value between 1–100

  • Set Action to Whitelist

  • Set Category to Blacklist match domain, Match Type: Exact

  • Set Notification Description to nr-data.net, Match Type: Contains

  • Click Add

Example 4 – Whitelist file extensions like .tmp, .TMP, .temp, .TEMP in 'SMB Suspicious File Renaming':

  • Create a new rule

  • Set Rank to a value between 1–100

  • Set Action to Whitelist

  • Set Category to SMB Suspicious File Renaming, Match Type: Exact

  • Set Notification Description to .*(\.tmp|\.TMP|\.temp|\.TEMP).*, Match Type: Regex

  • Click Add.

Last updated

Was this helpful?