You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're happy to announce that now when you create custom insights, you can select an option to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded. This allows you to generate insights for an immediate and targeted response.
Copy file name to clipboardExpand all lines: docs/cse/records-signals-entities-insights/configure-custom-insight.md
+36-17Lines changed: 36 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,39 +16,58 @@ This topic has instructions for defining a custom insight, which is a configura
16
16
17
17
## Ways to define a custom insight
18
18
19
-
There are two ways you can define a custom insight. You can specify that the insight should be generated each time:
19
+
When you create a custom insight, the following field appears on the creation dialog:
20
+
21
+
<img src={useBaseUrl('img/cse/ways-to-define-custom-insight.png')} alt="Ways to define a custom insight" style={{border: '1px solid gray'}} width="300"/>
22
+
23
+
This lets you choose how you want to define a custom insight. You can specify that the insight should be generated each time:
20
24
21
-
* One or more selected rules fire a signal.
22
25
* Signals whose name matches a specified wildcard expression are fired.
26
+
* One or more selected rules fire a signal.
27
+
28
+
Which method should you use? The difference is whether you’re going to create an insight based on the name of the signal that was fired, or based on the name of the rule that fired the signal.
29
+
30
+
Typically, signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [normalized threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the signals that a normalized rule fires vary by data source. So, if you want your custom insight configuration to generate insights for signals fired by normalized rules, you should base it on signal names, rather than rule names.
31
+
32
+
## When are custom insights generated?
33
+
34
+
### For each involved entity
35
+
36
+
By default, when the conditions of a custom insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an insight is generated for *each entity* involved. In other words, if each of the signals in a custom insight configuration fire on different entities, a separate insight is created for each entity. The generated insights will include both the signals that triggered them and any related signals.
37
+
38
+
### For only signals defined in the custom insight
39
+
40
+
The default way of generating an insight for each entity may result in custom insights containing more signals than you want. Rather than the summation of all signals attached to entities, perhaps you'd like to have those signals trigger insights directly for an immediate and targeted response.
23
41
24
-
Which method should you use? The difference is whether you’re going to create an insight based on the name of the rule that fired the signal, or based on the name of the signal that was fired. Typically, signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [normalized threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the signals that a normalized rule fires vary by data source. So, if you want your custom insight configuration to generate insights for signals fired by normalized rules, you should base it on signal names, rather than rule names.
42
+
In that case, under **Strict Signal Configuration**, select **Only include the signals defined in this custom insight**. This generates insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded.
25
43
26
-
When the conditions of a custom insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an insight will be generated for each entity involved. In other words, if each of the signals in a custom insight configuration fired on a different entity, an insight will be created on each of those entities. The generated insights will include not only the signals that it fired on, but also any related signals.
1.[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu, select **Content > Custom Insights**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Custom Insights**. You can also click the **Go To...** menu at the top of the screen and select **Custom Insights**.
33
-
2. Click **Add Custom Insight** on the **Custom Insights** page.
34
-
3. The **Configure the Custom Insight** popup appears. <br/><img src={useBaseUrl('img/cse/custom-insight.png')} alt="Configure an insight" style={{border: '1px solid gray'}} width="600"/>
35
-
4. In the **Name** field, enter a name for the custom insight.
36
-
5. If you want the custom insight to be generated based on one or more rules firing signals, jump to step 6, below. Otherwise:
37
-
1. Leave the **When Signals are created from the following...** clause set to **Signal names**.
51
+
1. Click **Add Custom Insight** on the **Custom Insights** page.
52
+
1. The **Configure the Custom Insight** popup appears. <br/><img src={useBaseUrl('img/cse/custom-insight.png')} alt="Configure an insight" style={{border: '1px solid gray'}} width="600"/>
53
+
1. In the **Name** field, enter a name for the custom insight.
54
+
1. If you want the custom insight to be generated based on one or more rules firing signals, jump to step 6, below. Otherwise:
55
+
1. Leave the **When Signals are created with the following...** clause set to **Signal names**.
38
56
2. Enter an expression that matches the name(s) of the signals of interest. For example: `Critical Severity Intrusion Signature *`
39
57
3. Click **Add**.
40
58
4. If you want to, you can enter one or more additional signal expressions.
41
59
5. If you’ve configured more than one signal expression, use the **in ... order** clause to specify whether the signals must occur in **exact** order, or whether the signals can occur in **any** order.
42
-
6. If you want the custom insight to be generated based on one or more rules firing signals:
43
-
1. Change the **When Signals are created from the following...** clause to **rule**.
60
+
1. If you want the custom insight to be generated based on one or more rules firing signals:
61
+
1. Change the **When Signals are created with the following...** clause to **rule**.
44
62
2. In the **Type to add a Rule** area, enter a string that the ID of the desired rule contains.
45
63
3. In the list of rules that appears, scroll to the desired rule and click it.
46
64
4. If you want to, you can search for and select one or more additional rules.
47
65
5. If you’ve configured more than one rule, use the **in ... order** clause to specify whether the rules must fire signals in exact order, or in any order.
48
-
7. In the **Then Create an Insight** section on the right side of the popup, enter a name for the insight.
49
-
8. Enter a description of the insight, as desired.
50
-
9. For severity, you can choose between a constant severity, or a dynamic severity that is based on the severity of the signals that trigger the insight. If you want to configure dynamic severity, skip to the next step. To configure constant severity, select one of: Low, Medium, High, or Critical.
51
-
10. To configure dynamic severity for the custom insight:
66
+
1. Under **Strict Signal Configuration**, select **Only include the signals defined in this custom insight** to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded.
67
+
1. In the **Then Create an Insight** section on the right side of the popup, enter a name for the insight.
68
+
1. Enter a description of the insight, as desired.
69
+
1. For severity, you can choose between a constant severity, or a dynamic severity that is based on the severity of the signals that trigger the insight. If you want to configure dynamic severity, skip to the next step. To configure constant severity, select one of: Low, Medium, High, or Critical.
70
+
1. To configure dynamic severity for the custom insight:
52
71
1. Choose **dynamic** severity.
53
72
:::note
54
73
You can define dynamic severity for record fields on [Match rules](/docs/cse/rules/write-match-rule#configure-then-create-a-signal-settings) and [Aggregation rules](/docs/cse/rules/write-aggregation-rule/#configure-then-create-a-signal-settings).
@@ -60,5 +79,5 @@ To create a custom insight:
60
79
* If the highest signal severity was at least 5, severity is Medium.
61
80
* If the highest signal severity was at least 7, severity is Critical.
11. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the custom insight.
64
-
12. Click **Submit** to save your custom insight configuration.
82
+
1. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the custom insight.
83
+
1. Click **Submit** to save your custom insight configuration.
0 commit comments