Use threshold variables

Threshold variables make it possible to write rules to detect the occurrence of a fixed number of events within a specified time period. A threshold variable is initialized in the language using the threshold_create function, as shown in the following example:

threshold threshold_create( uint64 eventLimit, uint32 timePeriodMs )

where eventLimit is the number of events that must be exceeded within timePeriodMs milliseconds. For example, the following rule:

threshold t = threshold_create(10, 10000);

defines a threshold with an event limit of 10 and a time period of 10000 ms (10 seconds). If more than 10 events occur in a 10-second period, the threshold is considered to have been exceeded. To increment the event count associated with a threshold variable and check whether the threshold has been exceeded, the threshold_increment function is used.

Bool threshold_increment( threshold t, uint64 increment, uint64 timestamp );

The threshold increment function is used only within a set clause. The timestamp parameter is the time stamp associated with the event being recorded. The increment parameter indicates how much to increment the threshold counter. This value must be greater than 0.

The following rules increment the threshold variable each time a file write with high entropy occurs:

Temp bool b = false;

Set { b = threshold_increment(t, 1, file.timestamp); } when file.event == FILE_WRITE and file.entropy > 7.8;

If the increment causes the threshold to be exceeded, the function returns TRUE. Otherwise, it returns FALSE. In this example, the return populates a temporary variable. The temporary variable is then used in subsequent rules to act, as shown in the following example:

alert when b and...;

isolate when b and ...;