Skip to content

Processor Modes and Rule Actions

Jump to bottom
Andreas Schade edited this page Aug 9, 2021 · 5 revisions

Current situation

Sf-processor provides two options to control rule-driven filtering, record tagging and alert generation. The first parameter is the policy engine mode that is set in the processor pipeline specification. The second parameter is the rule action that can be set individually for each each rule.

The policy file of the policy engine can contain two different types of rules:

  • Rules allow augmenting records with additional attributes (tagging). The enrichment takes places if the current event matches condition part of the rule. Action rules can also be used for generating alerts.
  • Filters specify conditions for suppressing events. This means that only records will be pushed upstream that do not match any filter rule. If the policy file contains both types of rules and filters, filters will be evaluated first.

The policy engine mode currently allows there possible values:

  • bypass means not to apply any policy
  • filter means to only apply filter rules
  • alert means to also apply action rules for alert generation or tagging

The rule action parameters currently allows three different values alert, tag, or hash or combinations thereof. I serves only as a placeholder for future implementations since the current implementations ignores the action parameter.

Proposal

The current implementation must be improved in several aspects:

  1. Distinguish tagging behavior (enrichment of all events) from alert generation (passing on only events that match rules).
  2. Use action parameters to override the policy engine mode for a particular rule.
  3. Enable hash computation of the process executable for particular events.

Policy engine modes

Bypass mode will by dropped and replaced by a new plugin that directly connects the sysflowreader with an exporter. In this case is is not necessary anymore to specify a policy engine. The following modes will be supported

Mode Description
tag (default) Apply filters and rules. Enrich (tag) events that match the condition of an action rule with the rule's tags attribute. Pass on all other events unchanged
alert Apply filters and rules. Full enrichment of events that match the condition of an action rule with tags, policy name and description, and severity. Suppress all other events.
filter Apply only filters and ignore rules.

Rule actions

Action values specified for a particular rule will take precedence over the general policy engine mode. The are only two allowed mutually exclusive values, tag or alert.

Action value Description
tag (default) Enrich matching events with policy tags.
alert Full enrichment of matching events with policy tags, name, description, and severity.

The rule's severity parameter is only used if either the rule action is alert, or the policy engine is in alert mode and the rule does not override.

Hashes

Sysflow can compute hash values of the process executable of the current event using different algorithms. This feature is orthogonal to the enrichment value specified by the rule's action. Hash computation is enabled by adding a hash parameter to a rule. The requested hashes can be specified as a list of hash algorithms such as md5 or sha1.

Clone this wiki locally