This article describes the roles, permissions, and steps required to configure a Function to route signals from a specific asset to track its behavior.
Proper design and deployment of Functions is vital for visibility and protection over VIP Assets. Functions provide for helpful groupings of information into Situations when applicable and can also reduce noise unless assets meeting a higher level of criticality are under duress and have triggered an out-of-bound expectation within the Functions.
Pro TIP: Escalation Policies are also vital to ensure that Routing of Functions information related to VIP Assets is correctly managed by the right people, teams, and circumstances.
User Permissions
Users with the following roles can create, view, edit, and delete the functions from the Resolution Intelligence Cloud:
- Owner
- Global Admin
- A user with Manager role
- Configuration Manager
To configure a Function,
- Click the gear icon at the top (or) hover over icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Account Information, click Functions.
You will be navigated to the Functions page.
- Enter the Name and Description (Optional) in the respective fields based on the function that the service provides.
- (Optional) Check box left to the Mark as default function. Marking your function as default one enables irrelevant signals associated with the function and disallows you to route the signals to the function.
- (Optional) In Escalation Policy field, select an existing Escalation Policy. Learn more on Escalation Policy.
-
Select the escalation urgency settings to notify teams based on the criticality of the ActOns received. The possible options available are:
- Use High Urgency Escalation Settings: This option considers all ActOns as high priority, requiring immediate action.
- Use Low Urgency Escalation Settings: This option considers all ActOns as low priority.
- Use Urgency Settings Based on ActOn Priority: This allows users to set the priority of an ActOn. When selected, users can choose the priority level of an ActOn as high (P0, P1, P2, P3, P4). Selecting a priority like P2 will automatically include all preceding priorities (P0, P1) as high, while the rest will be considered low priority.
- Use Urgency Settings Based on Support Hours: This option allows ActOns to be notified to the concerned personnel based on support hours. Users can configure whether ActOns during and outside support hours should be treated with high urgency, low urgency, or based on ActOn priority.
- Under Route Rules, click Add route rule to associate signals with the function. Learn more about adding Rules.
- Click Save.
Note: Functions are visible to the user who configured them, and one's functions are not visible to others.
After you have created a function, it will be listed on the Functions' home page. However, you can sort it by name, Signals, Situations, ActOns, escalation policy, created date, and configured.
Attributes Mapping
The attributes used in the signal routing conditions are mapped between the Chronicle and Resolution Intelligence Cloud as follows:
Resolution Intelligence Cloud | Chronicle |
events.metadata.eventType | security.events.metadata.eventType |
events.metadata.productEventType | security.events.metadata.productEventType |
events.metadata.productName | security.events.metadata.productName |
events.metadata.vendorName | security.events.metadata.vendorName |
events.network.dnsDomain | security.events.network.dnsDomain |
events.network.email.from | security.events.network.email.from |
events.network.email.to | security.events.network.email.to |
events.observer.hostname | security.events.observer.hostname |
events.principal.asset.hostname | security.events.principal.asset.hostname |
events.principal.hostname | security.events.principal.hostname |
events.principal.ip | security.events.principal.ip |
events.principal.process.commandLine | security.events.principal.process.commandLine |
events.principal.process.file.fullPath | security.events.principal.process.file.fullPath |
events.principal.process.file.names | security.events.principal.process.file.names |
events.principal.process.file.sha256 | security.events.principal.process.file.sha256 |
events.principal.processAncestors.commandLine | security.events.principal.processAncestors.commandLine |
events.principal.user.userid | security.events.principal.user.userid |
events.processAncestors.commandLine | security.events.processAncestors.commandLine |
events.processAncestors.file.fullPath | security.events.processAncestors.file.fullPath |
events.processAncestors.file.names | security.events.processAncestors.file.names |
events.processAncestors.file.sha256 | security.events.processAncestors.file.sha256 |
events.securityResult.action | security.events.securityResult.action |
events.securityResult.category | security.events.securityResult.category |
events.securityResult.summary | security.events.securityResult.summary |
events.securityResult.threatName | security.events.securityResult.threatName |
events.target.application | security.events.target.application |
events.target.asset.hostname | security.events.target.asset.hostname |
events.target.file.fullPath | security.events.target.file.fullPath |
events.target.file.names | security.events.target.file.names |
events.target.file.sha256 | security.events.target.file.sha256 |
events.target.hostname | security.events.target.hostname |
events.target.ip | security.events.target.ip |
events.target.port | security.events.target.port |
events.target.process.command_line | security.events.target.process.command_line |
events.target.process.file.fullPath | security.events.target.process.file.fullPath |
events.target.process.file.names | security.events.target.process.file.names |
events.target.process.file.sha256 | security.events.target.process.file.sha256 |
events.target.processAncestors.commandLine | security.events.target.processAncestors.commandLine |
events.target.processAncestors.file.fullPath | security.events.target.processAncestors.file.fullPath |
events.target.processAncestors.file.names | security.events.target.processAncestors.file.names |
events.target.processAncestors.file.sha256 | security.events.target.processAncestors.file.sha256 |
events.target.resource.name | security.events.target.resource.name |
events.target.resource.resourceType | security.events.target.resource.resourceType |
events.target.resource.type | security.events.target.resource.type |
events.target.url | security.events.target.url |
events.target.user.department | security.events.target.user.department |
events.target.user.title | security.events.target.user.title |
events.target.user.userid | security.events.target.user.userid |
Comments
0 comments
Please sign in to leave a comment.