Link Search Menu Expand Document

Creating a Model

Page Layout

This table lists every event bucket currently configured. Buckets can be searched and filtered using the facet on the left of the table.

The leftmost column of the table contains the “Status” toggles. Event buckets can be toggled on or off using these toggles.

The rightmost column of the table contains three “Action” buttons. The first button clones the rule, allowing the user to make changes and save it as a new rule. The second button, a pencil icon, allows the user to edit the bucket. The third button, a trash can icon, deletes the bucket.

The “EXPORT” button can be used to export all currently configured event buckets as a JSON file. Likewise, the “IMPORT” button in the top right corner of the table can be used to import a JSON file containing buckets that have already been configured. The “CREATE” button will open an “Event Watch Configuration” box to add a new event bucket. Additionally, Github integration allows downloading pre-configured rules directly from Fluency’s public Github repository.

Adding a Policy Model

As an example, we’re going to create a model to determine when SentinelOne indicates there is an infected machine. This model will display on the Policy Summary page when there are hits. First, give the event a name; in this case we’ll call it S1_Infection. Optionally, give it a description as well.

Next, assign the bucket a category. In this case, the category is SentinelOne. This allows buckets to be grouped more easily for usage and search purposes. Multiple tags can be attached to the bucket; these can also be used for searching.

In the Event type dropdown, select “resource.” A new dropdown will appear called “Resource Type.” When opened, this menu will display a list of available resources. Select the appropriate one from the list. In this case, we want to use the sentinelOneAgent resource.

Next, use filters and/or a query to select the events you want this model to match. For more detailed information on how to do this, view the Creating a Behavior Model page.

For this model, we want the fields @sentinelOneAgent.infected and @sentinelOneAgent.isActive to be true in order for there to be a match.

Begin by giving the policy model a name. Next, select the type of behavior from the following: network access, account login, application activity, and security alert. Then, select a key and key type. Hits associated with this policy model will be grouped by the selected key.

Once you have finished filling in the required fields, click “Save” at the bottom of the window to save the policy model.

Page last updated: 2021 Oct 18