Detection of a behavior preceded or followed by an event type

Hello every body,

I have a question about the rule’s creation , Is it possible to have rules with these conditions, if yes how?

  • More than 40 events with event.action:”block” from the same IP address followed or preceded by event.action:”autorized”

Best regards,

1 Like

There are two ways that come to mind, both use EQL sequences:

  1. Create a building block rule plus a sequence of two events:

First, create a building block rule to look for >= 40 events with event.action: "block".

Then, create an EQL sequence rule that looks for a sequence of your building block alert, followed by authorized:

sequence by source.ip
  [ any where rule.name : "your building block rule" and ... ]
  [ any where event.action == "authorized" ]
  1. Create a single EQL sequence for everything. You'll want to make it more specific than what I have below, but it's a start.
sequence by source.ipd
  [ any where event.action == "block" ]  // 1
  [ any where event.action == "block" ]  // 2
  // ...
  [ any where event.action == "block" ]  // 39
  [ any where event.action == "block" ]  // 40
  [ any where event.action == "authorized" ]

We are actively talking about new syntax to make it easier to write the 40 repetitive terms, so I would expect this to get easier to write in the future.