Segmentation rule settings

Segmentation rules are created in the Resources → Segmentation rules section of the KUMA web interface.

Available settings:

• Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters.
• Tenant (required)—name of the tenant that owns the resource.
• Type (required)—type of the segmentation rule. Available values:
  • By filter—alerts are created if the correlation events match the filter conditions specified in the Filter group of settings.

    You can use the Add condition button to add a string containing fields for identifying the condition. You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. You can add other condition groups and individual conditions to filter groups. You can swap conditions and condition groups by dragging them by the icon; you can also delete them using the icon.

    • Left operand and Right operand—used to specify the values to be processed by the operator.

      The left operand contains the names of the event fields that are processed by the filter.

      For the right-hand operand, you can select the type of the value: constant or list and specify the value.

    • Available operators
      • =—the left operand equals the right operand.
      • <—the left operand is less than the right operand.
      • <=—the left operand is less than or equal to the right operand.
      • >—the left operand is greater than the right operand.
      • >=—the left operand is greater than or equal to the right operand.
      • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
      • contains—the left operand contains values of the right operand.
      • startsWith—the left operand starts with one of the values of the right operand.
      • endsWith—the left operand ends with one of the values of the right operand.
      • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
      • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
  • By identical fields—an alert is created if the correlation event contains the event fields specified in the Correlation rule identical fields group of settings.

    The fields are added using the Add field button. You can delete the added fields by clicking the cross icon or the Reset button.

    Example of grouping fields usage

    A rule that detects a network scan generates only one alert, even if there are multiple devices that scan the network. If you create an alert segmentation rule based on the SourceAddress event grouping field and then bind this segmentation rule to a correlation rule, alerts are created for each address from which a scan is performed when the rule is triggered.

    In this example, if the correlation rule name is "Network. Possible port scan", and the "from {{.SourceAddress}}" value is specified as the alert naming template in the segmentation rule resource, alerts are created that look like this:

    • Network. Possible port scan (from 10.20.20.20 <Alert creation date>)
    • Network. Possible port scan (from 10.10.10.10 <Alert creation date>)
  • By event limit—an alert is created if the number of correlation events in the previous alert exceeds the value specified in the Correlation events limit field.
• Alert naming template (required)—a template for naming the alerts created according to this segmentation rule. The default value is {{.Timestamp}}.

  In the template field, you can specify text, as well as event fields in the {{.<Event field name>}} format. When generating the alert name, the event field value is substituted instead of the event field name.

  The name of the alert created using the segmentation rules has the following format: "<Name of the correlation rule that created the alert> (<text from the alert naming template field> <Alert creation date>)".

• Description—resource description: up to 4,000 Unicode characters.