Offense indexing considerations

System performance

Ensure that you optimize and enable all custom properties that are used for offense indexing. Using properties that are not optimized can have a negative impact on performance.

When you create a rule, you cannot select non-optimized properties in the Index offense based on field. However, if an existing rule is indexed on a custom property, and then the custom property is de-optimized, the property is still available in the offense index list. Do not de-optimize custom properties that are used in rules.

Rule action and response

When the indexed property value is null, an offense is not created, even when you select the Ensure the detected event is part of an offense check box in the rule action. For example, if a rule is configured to create an offense that is indexed by host name, but the host name in the event is empty, an offense is not created even though all of the conditions in the rule tests are met.

When the response limiter uses a custom property, and the custom property value is null, the limit is applied to the null value. For example, if the response is Email, and the limiter says Respond no more than 1 time per 1 hour per custom property, if the rule fires a second time with a null property within 1 hour, an email will not be sent.

When you index using a custom property, the properties that you can use in the rule index and response limiter field depends on the type of rule that you are creating. An event rule accepts custom event properties in the rule index and response limiter fields, while a flow rule accepts only custom flow properties. A common rule accepts either custom event or custom flow properties in the rule index and response limiter fields.

You cannot use custom properties to index an offense that is created by a dispatched event.

Payload contents

Offenses that are indexed by the Ariel Query Language (AQL), a regular expression (regex), or by a calculated property include the same payload as the initial event that generated the offense.

Offenses that are indexed by a normalized event field, such as Source IP or Destination IP, include the event name and description as the custom rules engine (CRE) payload.