Enrichment rules
Enrichment rule resources are used to update the event fields.
Available Enrichment rule resource parameters:
- Name (required)—a unique name for this type of resource. Must contain from 1 to 128 Unicode characters.
- Tenant (required)—name of the tenant that owns the resource.
- Source kind (required)—drop-down list for selecting the type of incoming events. Depending on the selected type, you may see the following additional settings:
- constant
This type of enrichment is used when a constant needs to be added to an event field.
When choosing this type, you must specify the value to add to the event field in the Constant field. The value should not be longer than 255 Unicode characters. If you leave this field blank, the existing event field value will be cleared.
- dictionary
This type of enrichment is used if you need to add a value from dictionary.
When this type is selected in the Dictionary name drop-down list, you must select the dictionary that will provide the values. In the Key fields settings block, you must use the Add field button to select the event fields whose values will be used for dictionary entry selection.
- event
This type of enrichment is used when you need to write a value from another event field to the current event field.
When this type is selected in the Source field drop-down list, you must select the event field from where the value will be copied to the target field.
In the Conversion settings block, you can create rules for modifying the original data before it is written to the KUMA event fields. The conversion type can be selected from the drop-down list. You can use the Add conversion and Delete buttons to add or delete a conversion, respectively. The order of conversions is important.
Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.
Available conversions:
- lower—is used to make all characters of the value lowercase
- upper—is used to make all characters of the value uppercase
- regexp—is used to apply a RE2 regular expression to the value. When this conversion type is selected, the field appears where regular expression should be added.
- substring—is used to delete characters in the position range specified in the Start and the End fields. These fields appear when this conversion type is selected.
- replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
- Replace chars—in this field you can specify the character sequence that should be replaced.
- With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
- trim is used to remove the characters specified in the Chars field from trailing positions of the value. The field appears when this type of conversion is selected.
- append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
- prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
- replace with regexp—is used to replace RE2 regular expression results with the character sequence.
- Expression—in this field you can specify the regular expression which results that should be replaced.
- With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
- template
This type of enrichment is used when you need to write a value obtained by processing Go templates into the event field.
When this type is selected, a Go template must be specified in the Template field.
Event field names are passed in the
{{.EventField}}format, whereEventFieldis the name of the event field from which the value must be passed to the script.Example:
Attack on {{.DestinationAddress}} from {{.SourceAddress}} - dns
This type of enrichment is used to send requests to a private network DNS server to convert IP addresses into domain names or vice versa.
Available settings:
- URL—in this field, you can specify the URL of a DNS server to which you want to send requests. You can use the Add URL button to specify multiple URLs.
- RPS—maximum number of requests sent to the server per second. The default value is
1000. - Workers—maximum number of requests per one point in time. The default value is
1. - Max tasks—maximum number of simultaneously fulfilled requests. By default, this value is equal to the number of vCPUs of the KUMA Core server.
- Cache TTL—the lifetime of the values stored in the cache. The default value is
60. - Cache disabled—you can use this drop-down list to enable or disable caching. Caching is enabled by default.
- cybertrace
This type of enrichment is used to add information from CyberTrace data streams to event fields.
Available settings:
- URL (required)—in this field, you can specify the URL of a CyberTrace server to which you want to send requests.
- Number of connections—maximum number of connections to the CyberTrace server that can be simultaneously established by KUMA. By default, this value is equal to the number of vCPUs of the KUMA Core server.
- RPS—maximum number of requests sent to the server per second. The default value is
1000. - Timeout—amount of time to wait for a response from the CyberTrace server, in seconds. The default value is
30. - Mapping (required)—this settings block contains the mapping table for mapping KUMA event fields to CyberTrace indicator types. The KUMA fields column shows the names of KUMA event fields, and the CyberTrace indicator column shows the types of CyberTrace indicators.
Available types of CyberTrace indicators:
- ip
- url
- hash
In the mapping table, you must provide at least one string. You can use the New line button to add a string, and can use the
button to remove a string.
- constant
- Debug—you can use this drop-down list to enable logging of service operations. Logging is disabled by default.
- Description—up to 256 Unicode characters describing the resource.
- Filter—settings block in which you can specify the conditions for identifying events that will be processed by the aggregation rule resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.
Creating a filter in resources
- In the Filter drop-down menu, select Create new.
- If you want to keep the filter as a separate resource, set the Save filter toggle switch. This can be useful if you decide to reuse the same filter across different services. The toggle switch is turned off by default.
- If you toggle the Save filter switch on, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
- In the conditions section, specify the conditions that the events must meet:
- The Add condition button is used to add filtering conditions. You can select two values (two operands, left and right) and assign the operation you want to perform with the selected values. The result of the operation is either True or False.
- In the operator drop-down list, select the function to be performed by the filter.
- = – the left operand equals the right operand.
- <—the left operand is less than the right operand.
- <=—the left operand is less than or equal to the right operand.
- >—the left operand is greater than the right operand.
- >=—the left operand is greater than or equal to the right operand.
- inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
- contains—the left operand contains values of the right operand.
- startsWith—the left operand starts with one of the values of the right operand.
- endsWith—the left operand ends with one of the values of the right operand.
- match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
- inActiveList—this filter has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
- inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
- inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
- TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
You can use the Match case check box in the Operator drop-down list to choose whether the values passed to the filter should be case sensitive. This check box is cleared by default.
- In the Left operand and Right operand drop-down lists, select where the data to be filtered will come from. As a result of the selection, Advanced settings will appear. Use them to determine the exact value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key and the entry key field.
- You can use the If drop-down list to choose whether you want to create a negative filter condition.
Conditions can be deleted using the
button. - In the operator drop-down list, select the function to be performed by the filter.
- The Add group button is used to add groups of conditions. Operator AND can be switched between AND, OR, and NOT values.
A condition group can be deleted using the
button. - Using the Add filter button you can add existing filter resources selected in the Select filter drop-down list to the conditions. You can navigate to a nested filter resource using the
button.A nested filter can be deleted using the
button.
- The Add condition button is used to add filtering conditions. You can select two values (two operands, left and right) and assign the operation you want to perform with the selected values. The result of the operation is either True or False.