LinkedIn
Twitter
In this post, we’re going to build a multi event rule in Chronicle SIEM that can be used to join disparate events together, and will serve as a foundation for more advanced multi event rule concepts that we will explore in future posts.
In previous videos, we have touched on the aggregating events in a rule, but this time we are going to take different types of events and connect them together.
Multi event rules leverage capabilities that we've previously covered in earlier videos including regular expressions, string matches, condition thresholds and more. Unlike some single event rules, the match section is always required in a multi event rule, so there will always be four sections; meta, events, match and condition.
To build a detection using multiple events, we need to join events together. These joins occur in the event section and can use either placeholder variables or UDM field names.
Finally, the condition section will need to contain references to every event contained in the event section. For our first multi event rule, we will use event variables for each set of criteria in the event section.
Follow along in the video below to see in action how to build a multi event rule with joins.
Remember when building multi event rules that the match section, in addition to the meta, events and condition sections are all mandatory. UDM fields and placeholder variables can be used in the event section to join like fields together and that each type of event being evaluated will have its own event variable. These event variables will end up in the condition section separated by the word AND.
Check out these additional resources with more information and learning opportunities: