Introduction

Scenarios are YAML files that allow to detect a specific behavior, usually an attack.

Scenarios receive events and can produce alerts using the leaky bucket algorithm.

The event goes via various steps :

• the filter decides event elligibility : if the expression is true, the event "enters" the bucket
• the optional groupby expression allows to segment bucket, typically by source_ip : this ensure each source ip has its own bucket and is accounted for properly
• the optional distinct expression can avoid item with duplicated properties being poured. An example usage can be found in http-sensitive-files, where it is used to ensure we're only counting distinct "bad" URIs being requested.
• then the event is finally poured to the leaky bucket : capacity and leakspeed are the two parameters conditioning when/if an overflow happens.
• if the bucket overflows, it can be validated by an optional overflow_filter

Once an overflow happens, it will go through postoverflows to handle last chance whitelists, before being finally turned into a potential decision by profiles.