SOLVED

Tuning rule time-based

Copper Contributor

Hi,

 

I'm trying to investigate how we can tune a rule to prevent false positives. A customer has scanned every sunday night their network. Every Sunday night, the rules alert and create an incident, which is a false positive. We want to tune this rule so it'll not check on the given time (around 2 am and 4 am) for some sources like Qualys. 

I don't want to edit the analytic rule for certain reasons but will solve this via Automation. Automation doesn't have the time property, so I thought maybe we can fix it using playbooks. Is this possible? 
What is the best approach for tuning like this?

6 Replies

Hi
I believe that easies way would be to do this by modification of analytic rule logic but I understand you can't do this
What you can do is to implement some entity mapping (doesn't change rule logic) and if specific entity is being extracted - auto-close using automation

Hi Kaaamil,

Thanks! I've looked into the entity mapping but unfortunately, I didn't find any useful entity.
The analytic rule would still be modified in this case. This will affect the updates of the analytic rule, we've automated the update process so a new update will undo the changes in the analytic rule.
best response confirmed by esschotenw (Copper Contributor)
Solution
Rule logic would be the go-to for me as well, as what you want to achieve is very specific and targeted. Entity mapping as suggested by Kaaamil could prove tricky, as even though in theory you could map a timestamp to an entity, you'd need some logic to assess time/day of the week etc. which automation rule wouldn't allow.
Logic app is the only alternative I can think of - create it with an inc trigger, let it, get incident info, use Control/Condition block to evaluate the TimeCreated value (match day of the week and number of hours for example) and then close the incident if a match or no action if not.
Outside of logic app you'd still need an automation rule to call the logic app - incident based trigger when it matches your rule.
Thanks all!
Unfortunately, we discovered that this is not the best way. We have multiple automation rules, so if the playbook is running the other automation rule could still do something...
Can't you just create a custom rule (don't use a rule template or it's name) and this way, whatever automation you've got for updating analytics rules, won't match your rule to an existing template and force it to update?
We thought about that but the problem is how to update the custom rule when the original rule gets an update.
Thanks for sharing your thoughts!
1 best response

Accepted Solutions
best response confirmed by esschotenw (Copper Contributor)
Solution
Rule logic would be the go-to for me as well, as what you want to achieve is very specific and targeted. Entity mapping as suggested by Kaaamil could prove tricky, as even though in theory you could map a timestamp to an entity, you'd need some logic to assess time/day of the week etc. which automation rule wouldn't allow.
Logic app is the only alternative I can think of - create it with an inc trigger, let it, get incident info, use Control/Condition block to evaluate the TimeCreated value (match day of the week and number of hours for example) and then close the incident if a match or no action if not.
Outside of logic app you'd still need an automation rule to call the logic app - incident based trigger when it matches your rule.

View solution in original post