Building block rules/use case

Hi,

I am trying to understand the building block rules. Should we be able to create a rule that triggers if multiple building block rules trigger? If so how would I go about it?

Thanks
Phil

I should add that so far i have used it to create multiple rules with a the prefix to the rule name then add a threshold rule with a query of signal.rule.name:prefix*
then look for host.name =>2

Although building block rules are still appearing in detections when triggered despite the additional filter not been ticked. signal.rule.building_block_type: default withing the events

im on 7.9.2.

Thanks

Hey there @probson !

For your first issue of seeing the building block alerts in the UI - are you on the main detections page or on the rule details page? By default Include building block alert is not checked in the main page, but is checked on the Rule Details page. I'm not sure if you are part of the Elastic Stack Community slack group? This thread could prove helpful.

You can indeed create a rule that triggers if multiple building block rules are triggered. When a rule is marked as a building block the building_block_type field set to the value default. From one of our blogs, it notes:

"You could, for example, use two building block rules — one configured to alert on abnormally high web server logins and the other configured to spot out-of-schedule maintenance activity on a database server — as inputs for a rule generating alerts that are more likely to merit analyst attention."

The example you gave of what you are doing in your second post seems about right. Has that been working for you?

Also, have you looked into EQL at all? I'm not familiar with your exact use case, but it could also be what you are looking for.

Best,
Yara

@yctercero

I was in the main detections page, i do not use slack but will check out the thread.

The example has worked for us, did not know if I was missing anything else.

I have not had a chance to look at EQL yet but with the upcoming changes i need to spend some time with it. The use case is mainly based around detections and KQL at the moment.

Thanks

The community slack is another great place to ask questions.

In the meantime though, I'm curious, if you fetch the mappings for you .siem-signals index what does it show for building_block_type? If you're unsure how to do that, you can check the mapping by going into the dev tools and running:

GET /.siem-signals-[YOUR SPACE OR DEFAULT]/_mapping

You should see it mapped to be "keyword". Is this what you see?

Hi,

I have checked and it is keyword.

Thanks

In fact thats for my cloud instance, i was testing building block with on prem. Will test building block in the cloud tomorrow and get back to you. Both are 7.9.2.

Thanks

@yctercero
Hi,

My on-prem setup does not have building_block_type in the template. This setup has been upgraded since around 7.2. We use logstash and occasionally point filebeat at kibana to update some of the dashboards and metricbeat to update that template.

The cloud solution was built straight to 7.9.2, this does have the keyword and tested this morning and the alert was not visible in the main detections UI.

Thanks