-
Notifications
You must be signed in to change notification settings - Fork 10
Processor Modes and Rule Actions
Sf-processor provides two options to control rule-driven filtering, record tagging and alert generation. The first parameter is the policy engine mode
that is set in the processor pipeline specification. The second parameter is the rule action
that can be set individually for each each rule.
The policy file of the policy engine can contain two different types of rules:
- Rules allow augmenting records with additional attributes (tagging). The enrichment takes places if the current event matches condition part of the rule. Action rules can also be used for generating alerts.
- Filters specify conditions for suppressing events. This means that only records will be pushed upstream that do not match any filter rule. If the policy file contains both types of rules and filters, filters will be evaluated first.
The policy engine mode currently allows there possible values:
-
bypass
means not to apply any policy -
filter
means to only apply filter rules -
alert
means to also apply action rules for alert generation or tagging
The rule action parameters currently allows three different values alert
, tag
, or hash
or combinations thereof. I serves only as a placeholder for future implementations since the current implementations ignores the action parameter.
The current implementation must be improved in several aspects:
- Distinguish tagging behavior (enrichment of all events) from alert generation (passing on only events that match rules).
- Use action parameters to override the policy engine mode for a particular rule.
- Enable hash computation of the process executable for particular events.
Bypass
mode will by dropped and replaced by a new plugin that directly connects the sysflowreader with an exporter. In this case is is not necessary anymore to specify a policy engine. The following modes will be supported
Mode | Description |
---|---|
tag (default) |
Apply filters and rules. Enrich (tag) events that match the condition of an action rule with the rule's tags attribute. Pass on all other events unchanged |
alert |
Apply filters and rules. Full enrichment of events that match the condition of an action rule with tags, policy name and description, and severity. Suppress all other events. |
filter |
Apply only filters and ignore rules. |
Action values specified for a particular rule will take precedence over the general policy engine mode. The are only two allowed mutually exclusive values, tag
or alert
.
Action value | Description |
---|---|
tag (default) |
Enrich matching events with policy tags. |
alert |
Full enrichment of matching events with policy tags, name, description, and severity. |
The rule's severity
parameter is only used if either the rule action is alert
, or the policy engine is in alert
mode and the rule does not override.
Sysflow can compute hash values of the process executable of the current event using different algorithms. This feature is orthogonal to the enrichment value specified by the rule's action. Hash computation is enabled by adding a hash
parameter to a rule. The requested hashes can be specified as a list of hash algorithms such as md5
or sha1
.