Stream Rules

Overview

Stream Rules are used to immediately detect threats by correlating real-time data based on predefined patterns or conditions. For example, they can detect high-risk attacks by identifying specific patterns in IPS logs or detect data exfiltration when outbound traffic volume exceeds a defined threshold.

The illustration below shows how a stream rule operates. Stream rules are applied to data that has been normalized during the ingestion phase. When creating a stream rule, be sure to use field names that have been normalized according to the log schemas.

Stream rules - overview

Stream rules perform the following key actions:

  • Event Detection:

    • Match detection libraries against normalized field values.

  • Response Actions:

    • Issue tickets and send alarms for detected events.
    • Request an explanation if the actor is an employee.
    • Register the IP address associated with the event in an address group.
    • If necessary, send a command to the connected device to block the traffic.
    • Trigger the playbook execution.
Note
Playbook execution is not a direct response action performed by the stream rule itself. However, if a playbook is configured to be triggered by the stream rule, response actions are automatically executed based on the playbook.

Typically, stream rules issue tickets or request an explantion from responsible parties upon event detection. To avoid overwhelming analysts or security officers with redundant tickets, it is crucial to minimize duplication. Logpresso Sonar consolidates identical events into a single ticket based on the alert message and ticket subject or a specified duplicate criteria field.

Search Stream Rule

You can view or search the list of stream rules in Policies > Stream Rules.

Stream rule list

  • App: Icon indicating the related app. Default rules or user-added rules are represented by Logpresso icon, and rules from installed apps are represented by their app icons.
  • Enabled: Toggle button to enable/disable the rule (Enabled: Enabled, Disabled: Disabled)
  • Status: Rule status according to the Enabled setting (Green: enabled, Gray: disabled)
  • Priority: Importance of the rule (high, medium, low)
  • Category: Category information
  • Rule: Name of the stream rule
  • Type: Log schema set for the rule
  • Modified At: Date the stream rule was last modified (or created)

To find a specific stream rule from the list, use the search tool in the toolbar. The search tool finds the rules where the keywords you enter are included in the rule's Name, Description, or Query fields. The search is not case-sensitive.

Enable and Disable Stream Rule

To enable or disable a stream rule, click the toggle button in the Enabled column of the rule (Enabled: Enabled, Disabled: Disabled).

Download Stream Rule List

To save the list of stream rules to your local PC, click Download in the toolbar and select the desired file format to download.

Refresh Stream Rule List

To view an up-to-date list of stream rules, click Refresh in the toolbar.

Add Stream Rule

To add a stream rule:

  1. Go to Policies > Stream Rules and click Add in the toolbar.

  2. On the Add Stream Rule screen, enter the following basic settings:

    Stream rule configuration 1

    • Name: Unique name for the stream rule (up to 50 characters). Rule names cannot be duplicate.

    • Category: Stream rule category. You can add a rule category by clicking Categories in the toolbar. If no category is set, no ticket will be issued.

    • Message: Title assigned to the ticket upon event detection

      • Use field names defined in the log schemas in the format $field or $field$, the message is generated by fetching the field value from the log that was the basis for the event detection (e.g., $src_ip). For fields containing Korean characters, always use the $FieldName$ format.
      • If Detect Duplicates on option is not specified in Advanced settings, it will prevent duplicate tickets from occurring based on whether the generated message (up to 2,000 characters) is identical or not.

    • Assign to: User account to assign the issued ticket to. You can select more than one account. If unspecified, the ticket is created without an assignee.

    • Alarm Group: Alarm group to receive alarms when an event is detected.

      Note
      Alarm reception settings must be configured within the selected Alarm Group.

    • Description: Detailed description of the stream rule (up to 2,000 characters).

  3. To separately manage the attacker's IP address or abnormal actor's IP address, or to forward address group information to firewalls or IPSs, configure the following settings:

    Stream rule configuration 2

    • Address Group: Address group to which the value (IP address) of the field specified as IP Field is added.

    • Retention: Duration (in minutes) to retain the IP address in the address group. Once the specified blocking period expires, the IP address is automatically removed from the address group. If unspecified, the IP address remains permanently (range: 1–100,000,000).

    • IP Field: Field name containing the IP address to be added to the address group upon event detection. Enter the name of the IP-related field defined in the log schema (e.g., src_ip, dst_ip) (up to 50 characters).

      Note
      For integration with third-party security systems for blocking actions, refer to 'System > Response Targets.'

  4. Configure the priority of detected events for the logger (or logger model):

    Stream rule configuration 3

    • Priority: Severity of detected events (high, medium, low).
    • Normalization Schema: Log schema to apply to the stream rule. Available fields in the Scenario Builder depend on the selected log schema.
    • Target: Logger model (or logger) to apply to the stream rule. Only logger models and loggers associated with the selected log schema are displayed.
    Note
    If the Logger Model has only "Raw" normalization rules without referencing a Log Schema, it will not appear in the detection target list. Ensure that the logger model references a log schema.

  5. Create the threat detection scenario. Use the Scenario Builder or directly enter a query in Query field to define the detection scenario. For detailed information about the Scenario Builder, refer to Rules and Parameters by Field Type.

A scenario consists of at least one rule, applied in the order listed at the top of the scenario list. When data is collected through the selected target, it is matched against the rules in order. A preceding scenario must be satisfied before the next scenario is executed. The order of scenario execution can impact system performance; therefore, it is recommended to set simple and fast conditions first to filter unrelated logs early.

If you enter an invalid or non-executable query (e.g., referencing a nonexistent address groups or pattern groups) the detection rule cannot be added.

  • Scenario Builder: A detection scenario editor comprising Condition, Field, and Rule. After enter a scenario, click Add to register it in the scenario list. At least one scenario must be registered.
    • Condition: The condition for applying the scenario (AND, NOT; default: AND). - AND: true if it matches. - NOT:true if it does not match.
    • Field: Field from the log schema to compare with the Rule
    • Rule: Rule to apply to the Field. The rules are available depending on the selected Field.
  • Query: Directly input a query if you prefer to manually define filter conditions (up to 10,000 characters).
  • Stream Query: Displays the filter rules entered in Scenario Builder or Query as a stream query.

  1. If a detected event is related to an employee within the organization, you can request an explanation from the employee.

    Stream rule configuration 5

    • Explanation Request: Whether to request an explanation from the employee or personnel involved in the detected threat or event. (default: disabled).

    • Employee: Field containing the employee ID of the employee responsible for the detected evnet.

      When a threat is detected, an explanation request email is automatically sent to the employee mapped to the specified employee ID. In this case, make sure that employee information (employee ID, account, email) is configured under Policies > Employees.

    • Category: The classification of the explanation request. If necessary, additional categories can be configured under Response > Explanation > Categories.

    • Auditor: The secondary reviewer of the submitted explanation (if not set, defaults to "Department Head"). For more details about primary and secondary reviewers, refer to Explanations.

    • Due Date: The deadline for submitting an explanation (default: 7 days). After the deadline, the employee will no longer be able to submit an explanation.

    • Note: Additional information to include in the explanation request email. The input text will be inserted into the email/SMS template where the $user_note macro is located. If you insert field names defined in the log schema using the $FieldName macro format, the field values will be substituted in the message. You can view the additional notes in the detailed explanation view under Response > Explanations. (Up to 10,000 characters)

    Note
    To request an explanation, a field named "emp_key" is required. If this field does not exist, click **Query** in Step 5 and create an "emp_key" field by writing a query that maps user accounts or IP addresses to employee IDs.

  2. To issue a ticket upon event detection, configure the Advanced settings.

    Stream rule configuration 6

  • Ticket Category: Ticket Category required to classify tickets during security operations. (Default: None)

    ```note
To automatically generate a ticket upon event detection, you must specify a ticket category.

Ticket issuance can also be controlled within playbooks triggered by events. If you intend to control ticket creation within a Playbook, do not set this option here. ```

  • Detect Duplicates on: Specify fields used to detect duplicate tickets, using the macro format (e.g., $field_name), separated by commas (,). Maximum length is 2,000 characters. If not specified, the Message string is used as the default criterion.

    ```note
For example, if the message field is configured as "C&C Server Connection: $src_ip -> $dst_ip," but you want to prevent excessive ticket generation when the same host connects to different C&C servers, set the duplicate detection key to `$src_ip`.
```

  • Detect Duplicates for: Duration during which duplicate events are ignored after a ticket is issued. (Default: 0, Range: 0–86,400 seconds).

    • If set to "0": Behavior is determined by the Reassign Tickets for setting.
    • If set to a nonzero value: Duplicate events are ignored for the specified duration and are not included as supporting data in the ticket.

  • Reassign Tickets for: Duration during which new tickets are not created for recurring events; instead, supporting data and occurrence counts are added to the existing ticket. (Default: 3,600 seconds, Range: 0–86,400 seconds) - If set to "0": A new ticket with the same title is created for each event occurrence. - If set to a nonzero value: Supporting data and occurrence counts are added to the existing ticket during the specified period.

  • Field Order: The order in which log data fields appear in the ticket’s supporting data. Enter field names in the desired order, separated by commas (,). Maximum length is 2,000 characters. Special characters and pipe (|) symbols are not allowed.

  • On Closing Ticket: How to handle tickets after they are closed when Reassign Tickets for is enabled (Default: Reset Ticekt Timer). - Keep Ticket Timer: Even after a ticket is closed, if the same threat event occurs before the merge timer expires, supporting data and occurrence count are added to the closed ticket. - Reset Ticket Timer: When a ticket is closed, the merge timer is also considered expired, and a new ticket is created for subsequent identical threat events.

  1. Click OK to finalize adding the stream rule. The stream rule becomes active immediately after creation.
Rules and Parameters by Field Type

Scenario Builder allows you to configure rule based on field types defined in the log schema. The available rules and parameters vary depending on the data type of each field, as described below.

STRING

RuleParameterScopeLoadDescription
Matches target stringTarget stringMaximum 255 charactersLowFilters field values that match the Target string.
Contains target stringSubstringMaximum 255 charactersLowFilters field values containing the specified substring.
Detects signature patternTarget signature patternSignature groupsMediumFilters field values based on a signature pattern.

BOOL

RuleParameterScopeLoadDescription
True/FalseConditionTrue or FalseLowFilters field values based on true/false conditions.

SHORT/INT/LONG/DOUBLE

RuleParameterScopeLoadDescription
EqualsTarget value-9007199254740991 ~ 9007199254740991LowFilters field values that match the specified value.
Is within the range ofStart, End-9007199254740991 ~ 9007199254740991LowFilters field values within the specified range.
Greater thanTarget value-9007199254740991 ~ 9007199254740991LowFilters field values greater than the specified value.
Greater than or equalsTarget value-9007199254740991 ~ 9007199254740991LowFilters field values greater than or equal to the specified value.
Less thanTarget value-9007199254740991 ~ 9007199254740991LowFilters field values less than the specified value.
Less than or equalsTarget value-9007199254740991 ~ 9007199254740991LowFilters field values less than or equal to the specified value.

DATE

RuleParameterScopeLoadDescription
DaySelected DaysMulti-select from Sun–SatLowFilters data generated on specified days.
Weekend--LowFilters data generated on weekends.
Weekday--LowFilters data generated on weekdays.
Time rangeStart Time, End Time0 ~ 23 hoursLowFilters data generated during specified time range.

COUNTRY

RuleParameterScopeLoadDescription
Country CodeTarget country codeSelect a country code.LowFilters field values that match the specified country code.

PORT

RuleParameterScopeLoadDescription
Port numberTarget port number0 ~ 65535LowFilters field values that match the specified port.
Is in port groupTarget port GroupSelect from predefined port groups.LowFilters field values that belong to the specified port group.

IP

RuleParameterScopeLoadDescription
Matches IP AddressTarget IPIPv4 format addressLowFilters field values matching the specified IP address.
Is included in network rangeTarget network rangeSelect network range.LowFilters field values included in the specified network range.
Is included in address groupTarget address groupSelect address group.LowFilters field values included in the specified address group.
Is listed in specific reputation DBReputation DBSelect threat intelligence source.MediumFilters field values listed in the specified reputation database.
Create event context by IP AddressEvent name, TimeoutMaximum 255 characters, 0~86400(mon/h/m/s)HighCreates an event context using the IP address as the key and registers it for tracking within the specified timeout period.
Correlate events by IP addressEvent nameMaximum 255 charactersHighSearches for events related to the IP address registered in the specified event context.
Exceeds event thresholdEvent name, ThresholdMaximum 255 characters, threshold is between 0~9007199254740991HighFilters IP addresses exceeding the specified event threshold.
Listed in any reputation DB--MediumFilters field values that have appeared in any threat intelligence database.

MD5/SHA1/SHA256

RuleParameterScopeLoadDescription
Matches hash valueHashMaximum 255 charactersLowFilters field values matching the specified hash.
Listed in reputation DB--MediumFilters field values appearing in any reputation database.
Listed in specific reputation DBReputation DBSelect threat intelligence.MediumFilters field values listed in the specified reputation database.

URL

RuleParameterScopeLoadDescription
Listed in reputation DB--MediumFilters field values appearing in any reputation database.
Listed in specific reputation DBReputation DBSelect threat intelligence sourceMediumFilters field values listed in the specified reputation database.

DOMAIN

RuleParameterScopeLoadDescription
Matches domainTarget stringMaximum 255 charactersLowFilters field values matching the specified string.
Listed in reputation DB--MediumFilters field values appearing in any reputation database.
Listed in specific reputation DBReputation DBSelect threat intelligence source.MediumFilters field values listed in the specified reputation database.

Others (e.g., BLOB)

RuleParameterScopeLoadDescription
OthersBehavior profile detectionSelect behavior profile.LowFilters field values matching a behavior profile key field.

Duplicate Stream Rule

To duplicate an existing stream rule:

  1. In the list of stream rules, select the checkbox for the rule you want to duplicate.
  2. The action menu appears in the toolbar. Click Duplicate.
  3. In the Duplicate Stream Rule dialog, review the selected rules and click Duplicate. To cancel, click Cancel.
    • The duplicated rule is added in a disabled state with the name "Copy of [Original Rule Name]".

Edit Stream Rule

To edit a stream rule:

  1. In the list of stream rules, click the name of the stream rule you want to edit.
  2. In the Edit Stream Rule screen, update the information, then click OK. For descriptions of the editable properties, refer to Add Stream Rule.

Delete Stream Rule

To delete a stream rule:

  1. In the list of stream rules, select the checkbox for the rule you want to delete.
  2. The action menu appears in the toolbar. Click Delete.
  3. In the Delete Stream Rule dialog box, review the selected rules and click Delete. To cancel, click Cancel.

Rule Categories

Rule categories are used to manage detected events based on attack types. You can define a category when adding a rule. The default categories are based on the MITRE ATT&CK matrix.

CategoryMITRE ATT&CK Tactics
Initial AccessInitial Access
ExecutionExecution
PersistencePersistence
Privilege EscalationPrivilege Escalation
Defense EvasionDefense Evasion
Credential AccessCredential Access
DiscoveryDiscovery
Lateral MovementLateral Movement
CollectionCollection
C&CCommand and Control
ExfiltrationExfiltration
ImpactImpact
ReconnaissanceReconnaissance

To add/edit/delete rule categories, go to Policies > Stream Rules or Policies > Batch Rules, then click Categories in the toolbar.

Rule Categories

  • Category: Name of the rule category
  • Description: Detailed description of the rule category
  • Modified At: Date and time the category was last modified
Add Rule Category

To add a rule category:

  1. In the Manage Categories window, click Add.

  2. In the New Rule Category page, enter the category details and click OK.

    Add rule category

    • Name: Unique name of the rule category (up to 50 characters)
    • Description: Detailed description of the rule category (up to 1,000 characters)
Edit Rule Category

To edit a rule category:

  1. In the Manage Categories window, click the name of the category you want to edit.
  2. In the Edit Rule Category page, update the details and click OK.
Delete Rule Category

To delete a rule category:

  1. In the Manage Categories page, select the checkbox for the category you want to delete.
  2. In the toolbar, click Delete.
  3. In the Delete Rule Category dialog box, review the selected categories and click Delete. To cancel, click Cancel.