Gecko
Alert

Rule Management

This section provides information about the use of Alert notifications in the Logger software.

What Is Alert Module ? 🤷‍♂️

Alert module is the real-time threat detection and warning component of the network SIEM system. It analyzes multi-source log data using a rule-based detection engine and detects security events according to predefined rules.

Rule Management 👨‍💼

Rule Categories 🏷️

Alert module uses a rule structure categorized according to security scenarios:

  • Network Security: Network anomaly and attack pattern detection
  • Data Leakage Prevention: Data leakage and unauthorized data transfer detection
  • Insider Threats: Insider threat and reconnaissance activity detection
  • Authentication & Access: Authentication anomaly and privilege escalation detection
  • Malware & Threats: Malware communication and suspicious process detection
  • Custom Rule: You can create categories manually

Rule Status ၊၊||၊

Rules can exist in three basic states:

  • Active: Rule is actively monitoring
  • Inactive: Rule defined but not working
  • Template: Ready-made template, ready to customize

Template System 📌

The template system provides a collection of ready-made rules that reflect the best practices of the security community. Its template:

  • Optimized vendor-specific log format
  • Comes with pre-configured risk scoring
  • Includes production-ready sensing logic
  • Ready for immediate deployment

Template Examples ✍️

  • AnomalousAPI: Detects API abuse patterns. Captures excessive API call frequency, unusual endpoint access and potential scraping activities
  • ConsistentBeaconing: Detects regular network connectivity patterns that indicate malware command and control communications
  • ExcessiveFileDownloads: Monitors data hoarding and unauthorized bulk data collection activities

Custom Rule Engine 🔧

The custom rule engine offers a comprehensive configuration interface for flexible rule creation.

Rule Components 🔩

  • Basic Configuration: Basic definition is made with rule name, description and source selection. Source selection determines which vendor log flows will be analyzed.
  • Risk Scoring: Dynamic scoring system between 1-10. Score determines alert priority and response strategy.
  • Column Filters: Multi-conditional filtering system. Complex condition sets can be created with logical operators.
  • Aggregation Operations: Time window based calculations. Trend analysis is done with operations such as count, sum, average.

Filter System 🌪️

The filter engine uses field-based conditional logic:

  • Equal/Inequal: Exact match conditions
  • Includes/Excludes: Pattern matching
  • Empty/Not Empty: Field entity validation
  • Bigger/Smaller: Numerical comparisons

Multiple filters can be combined with AND/OR logic.

Aggregation Engine 🔗

Aggregation engine for time series analysis:

Time Windows: Configurable analysis periods Totalizer Functions: Count, sum, average, min, max operations Grouping Fields: Field-based grouping for event categorization Threshold Conditions: Numerical thresholds for trigger points

Alert Processing❗

The alert processing pipeline operates in three stages:

  1. Event Retrieval Multi-source log collection and normalization
  2. Rule Evaluation: Real-time rule matching and condition checking
  3. Alert Generation: Risk scoring and notification triggering

The processing engine uses in-memory operations for low latency and can handle high throughput log volumes.

Use Cases ✍️

Network Anomaly Detection: Detects unusual traffic patterns, port scanning, lateral movement activities.
Data Loss Prevention: Monitors excessive file downloads, unauthorized data access, bulk data transfer patterns.
Insider Threat Detection: Captures privilege escalation, reconnaissance activities, off-hours access patterns.
Compliance Monitoring: Provides audit trail generation and violation detection for regulatory requirements.

How To Use ? 🤔

To create a rule on the Alert page, go to Alert > Rule Management

Create Custom Rule

Follow the steps below to create a custom rule;

  • Go to Create New > Create Custom > Custom Rule and then click Add button.
  • Write a name and description for the rule, then make sure the rule is in Active state.
  • Then select your data source in the sources section and select the number of scores at the bottom.
  • In the Column Filters section, select column, then operator and enter the appropriate Column Filtersvalue for this scenario.
  • In the Aggregate Operations section, enter an In the Aggregator Name. Then select In the Field and select the Operation appropriate for the Field. Finally, select the appropriate Time Windows duration for this scenario.
  • Finally, you can click the Add button in the top right corner and save the rule.

For Exemple: In this example, the alert system will generate an alarm if there are failed SSH attempts within 60 seconds.

Column Filters

Aggregate Operations

Create From Template

Follow the steps below to create a new rule using a ready-made template;

  • Go to Create New > Create from template.The Rule Templates page will welcome you. Select the template you need from this page and click the Add button.
  • The predefined rule template for you will appear in detail. You can edit it on this page if you want or you can leave it as default and click the Add button.
    After finishing the rule definitions in the Alert module, you need to bind the alerts to a policy in the notification policy section. Go to the notification policy document for these operations.

Scheduled Reports

This section provides information about the scheduled report module of the Logger software.

Notification Policy

The Notification Policy module serves as the notification management layer of the alerting system. It routes security events received from alert rules to appropriate notification channels and delivers them to designated recipients. It provides support for intelligent routing, rate limiting, and multi-channel notifications.