Type of the Alert module rules

The various RuleType classes, defined in OP5-Log-Aalytics. An instance is held in memory for each rule, passed all of the data returned by querying Elasticsearch with a given filter, and generates matches based on that data.

• Any - The any rule will match everything. Every hit that the query returns will generate an alert.
• Blacklist - The blacklist rule will check a certain field against a blacklist, and match if it is in the blacklist.
• Whitelist - Similar to blacklist, this rule will compare a certain field to a whitelist, and match if the list does not contain the term.
• Change - This rule will monitor a certain field and match if that field changes.
• Frequency - his rule matches when there are at least a certain number of events in a given time frame.
• Spike - This rule matches when the volume of events during a given time period is spike_height times larger or smaller than during the previous time period.
• Flatline - This rule matches when the total number of events is under a given threshold for a time period.
• New Term - This rule matches when a new value appears in a field that has never been seen before.
• Cardinality - This rule matches when a the total number of unique values for a certain field within a time frame is higher or lower than a threshold.
• Metric Aggregation - This rule matches when the value of a metric within the calculation window is higher or lower than a threshold.
• Percentage Match - This rule matches when the percentage of document in the match bucket within a calculation window is higher or lower than a threshold.