Rules: Templates
Description
A template-based YAML rule is a file that can instantiate an Indeni rule template.
There are two mandatory fields for all such YAML file:
rule_typeshould have the value: template-basedtemplate_nameshould use a predefined template
The other fields are template-specific.
Example
rule_type: template-based
template_name: CounterIncrease
rule_name: palo_alto_vpn_auth_errors
rule_categories:
- VendorBestPractices
rule_friendly_name: "Palo Alto Networks Firewalls: VPN dropping packets due to authentication errors"
rule_description: indeni tracks critical error metrics for VPN tunnels and alerts when these are increasing.
metric_name: vpn-tunnel-authentication-errors
applicable_metric_tag: peerip
alert_description: The VPNs listed below are experiencing packet authentication errors. This is probably due to a configuration issue.
alert_remediation_steps: Review the configurations on both sides of the tunnel.
alert_items_header: Affected VPN TunnelsSupported Templates
Rule | Description | Mandatory Fields | Optional Fields | |
|---|---|---|---|---|
| 1 | CounterIncrease | Metric type: Counter Will alert if a counter increases |
|
|
| 2 | MultiSnapshotAllValuesExistInSnapshot | Compares a complex array against a list of items to make sure that all the items exists in the complex metric |
|
|
| 3 | MultiSnapshotComplianceCheck | Checks a complex metric array against a list from user input, if any items from the user does not exist in the metric, the rule will alert |
|
|
| 4 | MultiSnapshotValueCheck | Checks a multi snapshot and compares it to the condition in the complex condition. If match, alert |
|
|
| 5 | NearingCapacity | Will match a metric against a threshold. If a limit metric is provided, the threshold will be a percentage. |
|
|
| 6 | NearingCapacityWithTimeFrame | Will match a metric against a threshold, over a time frame (time_frame_in_minutes) If a limit_metric_name is provided, the threshold will be a percentage. |
|
|
| 7 | NearingCapacityWithItems | Same as #5, but you can present alert items |
|
|
| 8 | NumericThresholdOnComplexMetricWithItems | Compares a numeric complex metric with a threshold. Optional to alert on above threshold or below |
|
|
| 9 | NumericThresholdOnDoubleMetric | Same as above, but uses double metric instead |
|
|
| 10 | NumericThresholdOnDoubleMetricWithItems | Same as above, but supports alert items as well |
|
|
| 11 | SecurityVulnerabilityChecks | Matches ranges of version numbers. If the device has a version within this range, an alert will be created. |
|
|
| 12 | SingleSnapshotComplianceCheck | Compares a single snapshot to user input(rule GUI settings) If it doesn't match, an alert is created |
|
|
| 13 | SingleSnapshotValueCheck | Checks a single snapshot and compares it to the condition in the complex condition. If match, alert |
|
|
| 14 | SnapshotComparison | Compares a metric between devices in a cluster to make sure the values are the same |
|
|
| 15 | StateDown | The most common rule by far. Looks for a 1.0 or 0.0 double metric. Per default an alert will be created if the value is 0.0. This rule has a lot of options |
|
|
| 16 | TimeIntervalThresholdOnDoubleMetric |
|
| |
| 17 | TimeThresholdOnDoubleMetricWithItems |
|
| |
| 18 | Other | |||
| 19 | DataplanePoolUsage |
|
| |
| 20 | EnabledInterfaceSnapshotComparison |
|
| |
| 21 | MultiConditionTimeSeries | Complex conditon evaluating multiple DoubleMetric metrics value |
|
|
Supported Field Definitions
{tab
Field | Usage | Type | Example | |
|---|---|---|---|---|
| 1 | alert_description | The description of the alert | String | alert_description: "Some memory elements are nearing their maximum capacity." |
| 2 | alert_description_format | A formatting string, with %f-type placeholders, into which certain values (template-dependent) are put to produce the alert description | String | alert_description_format: "There are %.0f real servers defined where the limit is %.0f." |
| 3 | alert_description_value_units | The time-unit used to convert the value from a time-delta to a number before embedding it into the alert description format | String:
| alert_description_value_units: SECOND |
| 4 | alert_if_down | If set to true, rule will alert if down, i.e. will look for state == 0.0. If set to false, rule will alert if not down, i.e. will look for state == 1.0 | Boolean | alert_if_down: false |
| 5 | alert_info_metric_tag | An alternative to applicableMetricTag for use in the description of the alert items | String | alert_info_metric_tag: alert-item-port-speed |
| 6 | alert_item_description_format | A formatting string, with %f-type placeholders, into which certain values (template-dependent) are put to produce the alert item description | String | alert_item_description_format: "%.0f packets per second." |
| 7 | alert_item_description_units | The time-unit used to convert the value from a time-delta to a number before embedding it into the alert item description format | String:
| alert_item_description_units: SECOND |
| 8 | alert_item_headline_str_metric | The name of a complex string metric used for the alert item headline | String | alert_item_headline_str_metric: isp-link-status |
| 9 | alert_items_header | The header/title of the alert items | String | alert_items_header: "ISP Links Affected" |
| 10 | alert_remediation_steps | Same as base_remediation_text. See below. This is named differently in different templates for historical reasons. | String | alert_remediation_steps: "Packet drops usually occur when the rate of packets transmitted is higher than the device ability to handle. Admin might need to provision a higher speed port (1G -> 10G -> 40G -> 100G)." |
| 11 | applicable_metric_tag | Differs between templates. Often used in the the headline/description of the alert item. When combined with items_to_ignore, the items to ignore are searched for in the value of the metric tag denoted by applicable_metric_tag. There may be other different uses | String | applicable_metric_tag: name |
| 12 | base_remediation_text | Base text for remediation steps. Additional vendor-specific texts will be appended to it | String | base_remediation_text: "Ensure a valid policy is installed." |
| 13 | complex_condition | A condition used as the metric condition for the rule, some times in combination with other conditions that are built in to the template. The syntax here is complex, and it is a similar syntax to the syntax used in the phase 2 templates which are work in progress. The syntax here also might change in the future when new features are added. We'll give examples of conditions, assuming m1, m2, m3 are metric names:
Note that capitalization is important throughout this conditions language These basic conditions can be combined with the operators AND, OR, NOT, and parenthesis can be used to control precedence e.g.: StrMetric(m1) == "an interesting string value" AND NOT DoubleMetric(m2) == 17.0 OR (DoubleMetric(m2) >= 100 AND NOT (ObjArrayMetric(m3) contains "an interesting string value" atKey "keyName")) The default precedence is: NOT is highest precedence, then AND, and OR is with lowest precedence among these three logical operators. Examples: complex_condition: "not(StrMetric(isp-link-status) == \"OK\")"
| ||
| 14 | description_metric_tag | A metric tag to be used in the alert item description | String | description_metric_tag: vs.name |
| 15 | description_string_format | This field is for power-users only and has the same structure as in Scala template-based rules | String | description_string_format: "Part of ${scope(\"bond-name\")}" |
| 16 | device_category | A category for the devices this rule is applied tot | String:
| device_category: CheckPointClusterXLVSX |
| 17 | disable_global_rule_set | disables the global rule configuration for this rule, currently defaults to true | Boolean | disable_global_rule_set: false |
| 18 | expected_value | default value for the parameter that will be defined for this rule; type: any primitive | string/boolean/number | expected_value: true |
| 19 | headline_format | a formatting string containing %f-like placeholders, into which certain values (template-dependent) are put to generate the alert headline | String | |
| 20 | history_length | Used only in StateDown template. | Int | history_length: 2 |
| 21 | include_snapshot_diff | produces in the alert item text the delta between the two snapshot metrics | include_snapshot_diff: true | |
| 22 | is_array | True whether the supplied metric is a ObjArray metric, false if it is a String metric | Boolean | is_array: true |
| 23 | item_key | The key in the objects stored in the obj array metric; | String | item_key: ip |
| 24 | item_specific_description | a list of pairs: regex and text. The regex's are checked one by one to see if they partially match the applicable metric tag value. The second item of the first pair that matches is used as the alert description. Note that the regex for the last pair should always be a "catch-all" regex to avoid unexpected errors in running this rule | item_specific_description: | |
| 25 | tems_to_ignore | a list of regexps for which | ||
| 26 | limit_metric_name | The name of the metric to evaluate to compare it to the threshold; | String | limit_metric_name: arp-limit |
| 27 | meta_condition | A condition used as the tags condition for the rule. The syntax here is complex, and it is a similar syntax to the syntax used in the phase 2 templates which are work in progress | String | meta_condition: "Tag(vsx) == \"true\"" |
| 28 | metric_name | The name of the metric. Template-dependent | String | metric_name: isp-link-status |
| 29 | metric_units | Used to convert a double metric to a time-span value | String:
| metric_units: MILLISECOND |
| 30 | minimum_value_to_alert | Acts as a lower threshold for alerting | Double | minimum_value_to_alert: 100.0 |
| 31 | os_name | Used in SecurityVulnerabilityChecks template for name of os | String | os_name: panos |
| 32 | parameter_description | The description of the user-controlled parameter that will be defined for this rule | String | parameter_description: "If this is set to \"on\" or ticked, Indeni will alert when a device that supports node monitoring does not have it configured." |
| 33 | parameter_name | The name of the user-controlled parameter that will be defined for this rule | String | parameter_name: "Should Default Node Monitors Be Configured" |
| 34 | pool_name | Used only in DataplanePoolUsage template to denote the name of the pool | pool_name: "SSH State" | |
| 35 | required_items_parameter_description | Same as parameter_description | String | required_items_parameter_description: "Enter the DNS servers required, each one on its own line." |
| 36 | required_items_parameter_name | Same as parameter_name | String | required_items_parameter_name: "DNS Servers" |
| 37 | rule_categories | The set of rule categories for this rule; type: List of String. The list must contain no duplicates. | List
| rule_categories: |
| 38 | rule_description | The description for this rule | String | rule_description: "Sometimes the routes that are defined in the Check Point Web UI or through clish may not be fully applied to the operating system layer. If this happens, Indeni will alert." |
| 39 | rule_friendly_name | A friendly, name i.e. readable by users, for this rule | String | rule_friendly_name: "Check Point Firewalls (VSX): Routes defined in clish/webUI are missing" |
| 40 | rule_name | The name of this rule | String | rule_name: chkp_firewall_routes_missing_vsx |
| 41 | samples_time_difference_threshold | Used only in SnapshotComparison template to denote a threshold of time difference, to trigger the rule | String denoting time duration | samples_time_difference_threshold: "5 minutes" |
| 42 | severity | The severity of the alert issued by this rule |
| |
| 43 | should_use_device_passive_and_passive_link_state_condition | sed in templates that have a deviceCondition in their scala version, namely SnapshotComparison and StateDown templates. generateDevicePassiveAndPassiveLinkStateCondition(context.tsDao) in the scala rules. If set to false, the default deviceCondition (always True) is used | Boolean | should_use_device_passive_and_passive_link_state_condition: true |
| 44 | should_use_history_contains_state_down_condition | If set to true, creates a generateStateDownCondition equivalent to | Boolean | should_use_history_contains_state_down_condition: true |
| 45 | snapshot_item_key | the key in the object array metric a.k.a. snapshot item | String | snapshot_item_key: category |
| 46 | snapshot_item_list | default value for the items_to_look_for parameter generated by the rule | List of Strings | |
| 47 | state_description_complex_metric_name | only used in StateDown template. A complex metric whose value is used in alert items | String | state_description_complex_metric_name: "mgmt-ha-sync-state-description" |
| 48 | threshold_direction | Whether to compare against the threshold from above or from below. When the value of threshold_direction is ABOVE, an alert is issued if metricValue >= thresholdValue and when the value of threshold_direction is BELOW, an alert is issued if metricValue < thresholdValue |
| threshold_direction: ABOVE |
| 49 | threshold | a threshold value, sometimes of type double and sometimes of type time interval, depending on the metric; | Double for
Time interval on
| Example for double type: |
| 50 | unit_converter_double_value | The metric value is divided by to yield the alert text. If not provided, it defaults to 1.0 | Double | unit_converter_double_value: 100.0 |
| 51 | usage_metric_name | The metric to check the value of, and compare it to a certain percentage of the limit value, in NearingCapacity* templates | String | usage_metric_name: memory-usage |
| 52 | usage_threshold | Used only in DataplanePoolUsage template, to denote threshold | Double | usage_threshold: 80.0 |
| 53 | vendor_severity_rating | Used as part of the alert description | String | TBD when this field will be used |
| 54 | vendor_to_remediation_text | Mapping between vendor and a string with remediation text for this alert suitable for that vendor | Map from vendor to string | vendor_to_remediation_text: |
| 55 | version_ranges | Scala sequence: versionRanges = Seq(("3.1.0", "3.1.10"), ("4.0.0", "4.0.7"), ("4.1.0", "4.1.0")) Yaml equivalent version_ranges: - - "3.1.0" - "3.1.10" - - "4.0.7" - "4.0.0" - - "4.1.0" - "4.1.0" | ||
| 56 | supported / not_supported | These attributes filter vendor_os combinations as white list and black list. These impacts only the representation in Knowledge Explorer, and does not have functional implication on the rule-engine | predefined values, as defined in the vendor and os in the IND files:
|
|