This article describes the roles, permissions, and steps required to configure a Function to route signals from a specific entity to track its behavior.
Proper design and deployment of Functions is vital for visibility and protection over VIP entities. Functions provide for helpful groupings of information into Situations when applicable and can also reduce noise unless assets meeting a higher level of criticality are under duress and have triggered an out-of-bound expectation within the Functions.
Pro TIP: Escalation Policies are also vital to ensure that Routing of Functions information related to VIP Assets is correctly managed by the right people, teams, and circumstances.
User Permissions
Users with the following roles can create, view, edit, and delete the functions from the Resolution Intelligence Cloud:
- Owner
- Global Admin
- A user with Manager role
- Configuration Manager
To configure a Function,
- Click
the gear icon at the top (or) hover over
icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Account Information, click Functions.
You will be navigated to the Functions page.
- Enter the Name and Description (Optional) in the respective fields based on the function that the service provides.
- (Optional) Check box left to the Mark as default function. Marking your function as default one enables irrelevant signals associated with the function and disallows you to route the signals to the function.
- (Optional) In Escalation Policy field, select an existing Escalation Policy. Learn more on Escalation Policy.
- Select the escalation urgency settings to notify users based on the criticality of received ActOns. The available options are:
Use High Urgency Escalation Settings
This option applies the high-urgency escalation settings configured at the profile level to notify scheduled members added to the escalation policy when an ActOn is triggered. This ensures that the right people are informed when there is an ActOn.
If the configured escalation method by the user is a call, the user will receive a call at the specified mobile number when an ActOn is triggered.
To configure the contact method for ActOn notifications, refer the Escalation Settings section
Use Low Urgency Escalation Settings
This option applies the low-urgency escalation settings configured at the profile level to notify schedule members who are added to the escalation policy when an ActOn is triggered.
If the configured escalation method is email, the user will receive an email at the specified address when an ActOn is triggered and is assigned to the user.
Use Urgency Settings Based on ActOn Priority
This option allows users to define the priority of an ActOn by assigning priority levels (P0, P1, P2, P3, P4).
Selecting a priority level, such as P2, automatically classifies higher-priority levels (P0, P1) as high priority, while lower-priority levels (P3, P4) are treated as low priority.
-
- High-priority ActOns trigger notifications through the contact method configured in Escalation Settings when a high-urgency ActOn is created.
- Low-priority ActOns trigger notifications through the contact method configured in Escalation Settings when a low-urgency ActOn is created.
Use Urgency Settings Based on Support Hours
This option notifies personnel based on defined support hours, allowing users to specify working days and time ranges. ActOn notifications can be configured separately for working and non-working hours.
When this option is selected, two additional settings appear:
During Support Hours:
If high-urgency escalation settings are selected, notifications are sent via the contact method configured for high-urgency ActOns.
If low-urgency escalation settings are selected, notifications are sent via the contact method configured for low-urgency ActOns.
If urgency is based on ActOn priority:
-
- High-priority ActOns trigger notifications through the contact method configured in Escalation Settings when a high-urgency ActOn is created.
- Low-priority ActOns trigger notifications through the contact method configured in Escalation Settings when a low-urgency ActOn is created.
Outside Support Hours:
If high-urgency escalation settings are selected, notifications are sent via the contact method configured for high-urgency ActOns.
If low-urgency escalation settings are selected, notifications are sent via the contact method configured for low-urgency ActOns.
If urgency is based on ActOn priority:
-
- High-priority ActOns trigger notifications through the contact method configured in Escalation Settings when a high-urgency ActOn is created.
- Low-priority ActOns trigger notifications through the contact method configured in Escalation Settings when a low-urgency ActOn is created.
8. Under Route Rules, click Add route rule to associate signals with the function. Learn more about adding Rules.
9. Click Save.
Note: Functions are visible to the user who configured them, and one's functions are not visible to others.
After you have created a function, it will be listed on the Functions' home page. However, you can sort it by name, Signals, Situations, ActOns, escalation policy, created date, and configured.
Attributes Mapping
The attributes used in the signal routing conditions are mapped between the Chronicle and Resolution Intelligence Cloud as follows:
| Resolution Intelligence Cloud | Chronicle |
| events.metadata.eventType | security.events.metadata.eventType |
| events.metadata.productEventType | security.events.metadata.productEventType |
| events.metadata.productName | security.events.metadata.productName |
| events.metadata.vendorName | security.events.metadata.vendorName |
| events.network.dnsDomain | security.events.network.dnsDomain |
| events.network.email.from | security.events.network.email.from |
| events.network.email.to | security.events.network.email.to |
| events.observer.hostname | security.events.observer.hostname |
| events.principal.asset.hostname | security.events.principal.asset.hostname |
| events.principal.hostname | security.events.principal.hostname |
| events.principal.ip | security.events.principal.ip |
| events.principal.process.commandLine | security.events.principal.process.commandLine |
| events.principal.process.file.fullPath | security.events.principal.process.file.fullPath |
| events.principal.process.file.names | security.events.principal.process.file.names |
| events.principal.process.file.sha256 | security.events.principal.process.file.sha256 |
| events.principal.processAncestors.commandLine | security.events.principal.processAncestors.commandLine |
| events.principal.user.userid | security.events.principal.user.userid |
| events.processAncestors.commandLine | security.events.processAncestors.commandLine |
| events.processAncestors.file.fullPath | security.events.processAncestors.file.fullPath |
| events.processAncestors.file.names | security.events.processAncestors.file.names |
| events.processAncestors.file.sha256 | security.events.processAncestors.file.sha256 |
| events.securityResult.action | security.events.securityResult.action |
| events.securityResult.category | security.events.securityResult.category |
| events.securityResult.summary | security.events.securityResult.summary |
| events.securityResult.threatName | security.events.securityResult.threatName |
| events.target.application | security.events.target.application |
| events.target.asset.hostname | security.events.target.asset.hostname |
| events.target.file.fullPath | security.events.target.file.fullPath |
| events.target.file.names | security.events.target.file.names |
| events.target.file.sha256 | security.events.target.file.sha256 |
| events.target.hostname | security.events.target.hostname |
| events.target.ip | security.events.target.ip |
| events.target.port | security.events.target.port |
| events.target.process.command_line | security.events.target.process.command_line |
| events.target.process.file.fullPath | security.events.target.process.file.fullPath |
| events.target.process.file.names | security.events.target.process.file.names |
| events.target.process.file.sha256 | security.events.target.process.file.sha256 |
| events.target.processAncestors.commandLine | security.events.target.processAncestors.commandLine |
| events.target.processAncestors.file.fullPath | security.events.target.processAncestors.file.fullPath |
| events.target.processAncestors.file.names | security.events.target.processAncestors.file.names |
| events.target.processAncestors.file.sha256 | security.events.target.processAncestors.file.sha256 |
| events.target.resource.name | security.events.target.resource.name |
| events.target.resource.resourceType | security.events.target.resource.resourceType |
| events.target.resource.type | security.events.target.resource.type |
| events.target.url | security.events.target.url |
| events.target.user.department | security.events.target.user.department |
| events.target.user.title | security.events.target.user.title |
| events.target.user.userid | security.events.target.user.userid |
Comments
0 comments
Please sign in to leave a comment.