{% extends "siem/base.html" %} {% block sub-title %}Limit Rule - {{ lr }} | {% endblock %} {% block content-main %}

{{ lr }} (Limit Rule)

Edit · Delete · Index

Rule Settings

AttributeSettingDescription
ID{{ ph.id }}The limit rule's internal ID
Built-in?{{ ph.is_builtin }}Whether the limit rule is built-in to LogESP.
Name{{ lr.name }}The rule name.
Desc{{ lr.desc }}The rule description.
Enabled?{{ lr.is_enabled }}Whether the rule is enabled.
Reversed?{{ lr.reverse_logic }}Whether the rule logic is reversed.
Rule Events?{{ lr.rule_events }}Whether the rule wathes rule events (vs. log events).
Category{{ lr.rule_category }}The rule category.
Event Lifespan (local){{ lr.local_lifespan_days }}The lifespan of resulting events in the local database.
Event Lifespan (backup){{ lr.backup_lifespan_days }}The lifespan of backup copies of resulting events.
Alerts Enabled?{{ lr.email_alerts }}Whether the rule triggers email alerts.
Email Alert Users{{ lr.alert_users }}Users to alert via email.
Message{{ lr.message }}The message for events created by the rule.

Timing and Severity

AttributeSettingDescription
Severity{{ lr.severity }}The rule's severity.
Severity Modifier{{ lr.severity_modifier }}The multiplier for severity when calculating magnitude.
overkill Modifier{{ lr.overkill_modifier }}The multiplier for overkill ratio when calculating magnitude.
Time Interval{{ lr.time_int }}The time interval for the rule to monitor.
Event Limit{{ lr.event_limit }}The number of events to allow before triggering the rule.

Basic Criteria

AttributeSettingDescription
Event Type{% if lr.event_type %}{{ lr.event_type }}{% endif %}The event type for the rule to monitor.
Message Filter{% if lr.message_filter_regex %}{{ lr.message_filter_regex }}{% endif %}Search criteria for the event's message attribute (case insensitive regex).

Log Event Criteria

Regular Expression Filters

All regular expression filters use case insensitive regular expressions.

AttributeSettingDescription
Log Source Filter{% if lr.log_source_filter_regex %}{{ lr.log_source_filter_regex }}{% endif %}Search criteria for the event's log_source attribute.
Source Process Filter{% if lr.process_filter_regex %}{{ lr.process_filter_regex }}{% endif %}Search criteria for the event's source_process attribute.
Action Filter{% if lr. %}{{ lr.action_filter_regex }}{% endif %}Search criteria for the event's action attribute.
Interface Filter{% if lr.action_filter_regex %}{{ lr.interface_filter_regex }}{% endif %}Search criteria for the event's interface attribute.
Status Filter{% if lr.status_filter_regex %}{{ lr.status_filter_regex }}{% endif %}Search criteria for the event's status attribute.
Source Host Filter{% if lr.source_host_filter_regex %}{{ lr.source_host_filter_regex }}{% endif %}Search criteria for the event's source_host attribute.
Source Port Filter{% if lr.source_port_filter_regex %}{{ lr.source_port_filter_regex }}{% endif %}Search criteria for the event's source_port attribute.
Dest Host Filter{% if lr.dest_host_filter_regex %}{{ lr.dest_host_filter_regex }}{% endif %}Search criteria for the event's dest_host attribute.
Dest Port Filter{% if lr.dest_port_filter_regex %}{{ lr.dest_port_filter_regex }}{% endif %}Search criteria for the event's dest_port attribute.
Command Filter{% if lr.command_filter_regex %}{{ lr.command_filter_regex }}{% endif %}Search criteria for the event's command attribute.
Source User Filter{% if lr.source_user_filter_regex %}{{ lr.source_user_filter_regex }}{% endif %}Search criteria for the event's source_user attribute.
Target User Filter{% if lr.target_user_filter_regex %}{{ lr.target_user_filter_regex }}{% endif %}Search criteria for the event's target_user attribute.
Path Filter{% if lr.path_filter_regex %}{{ lr.path_filter_regex }}{% endif %}Search criteria for the event's path attribute.
Parameters Filter{% if lr.parameters_filter_regex %}{{ lr.parameters_filter_regex }}{% endif %}Search criteria for the event's parameters attribute.
Referrer Filter{% if lr.referrer_filter_regex %}{{ lr.referrer_filter_regex }}{% endif %}Search criteria for the event's referrer attribute.
Raw Text Filter{% if lr.raw_text_filter_regex %}{{ lr.raw_text_filter_regex }}{% endif %}Search criteria for the raw event.

List Matching

AttributeSettingDescription
Match List File Path{% if lr.match_list_path %}{{ lr.match_list_path }}{% endif %}The path for the match list file on the LogESP server.
Match Field{% if lr.match_field %}{{ lr.match_field }}{% endif %}The event field to compare to the match list.
Allow List{{ lr.match_allowlist }}Use list as allowlist instead of blocklist.

Rule Event Criteria

AttributeSettingDescription
Magnitude Filter{% if lr.magnitude_filter %}{{ lr.magnitude_filter }}{% endif %}The minimum magnitude required to set off the rule.
Rule Name Filter{% if lr.rulename_filter_regex %}{{ lr.rulename_filter_regex }}{% endif %}Search criteria for the name of the event's source rule.
{% endblock %}