Rule Builder

Print Friendly, PDF & Email

How rules can help

Rules are only applicable to endpoint telemetry data sources. Rules when formulated in context to your Infrastructure environments help in the following:

  • Trigger alerts and increase security awareness related to critical events on hosts.
  • Help in forecasting and mitigating future attacks on network systems.
  • Establish a forensic trail.
  • Help investigators and incident responders arrive at meaningful conclusions by distinguishing noise from ongoing events and the real malicious activity on hosts.

In Seqrite EDR, you can create rules based on exclusive activity by some process, host or network host, or a combination of multiple events across hosts. After you create and save a rule, it is automatically pushed to the HawkkHunt portal and the data received from multiple endpoints is analyzed as per the conditions in the rules. If the conditions specified in that rule are met, then an alert is generated and sent across to the HawkkHunt console. The administrator can then assign these alerts to the IR, or the IR can assign the cases to self or other IR to find out the root cause, and range of infection, and carry out any mitigation activity as required.

The following table lists the indicators that you can use to build rules with appropriate operators and values.

Process Name Process Path Process Command Line Parent Name Host Name
Command Line Length Is Browser Process File Download Option Is Process Signed user_name
proc_sha2 proc_md5 Parent Path Parent Command Line Parent_Bin_Is_Signed
Grand Parent Name Grand Parent Path Grand Parent Command Line Grand_Parent_Bin_Is_Signed cp_event_type
cp_given_access cp_desired_access cp_target_proc_name File Name File Path
SHA2 MD5 file_path file_attr file_new_path
file_md5 file_type mod_md5 mod_sha2 mod_path
ehp_type ehp_md5 ehp_sha2 ehp_path action
Protocol Port IP URL nw_method
nw_domain_name nw_dns_ips nw_conn_type Registry Key Registry Value
Registry Value Data Windows Event Id Field of Interest

You can use mathematical logical operators such as as AND, and OR  for the rules.

Practices to be followed while writing/adding rules

  • Select the indicators and operators from the dropdown list suggestions, avoid writing rules on your own to avoid formatting errors.
  • Provide a space after every action like, selection of indicator, operator, providing values, brackets and at the end of the rule.

Example 1

IP = 4.4.4.4 and And Port = 80

Explanation

Let us write a rule to detect if the IP address is 4.4.4.4 and Port is 80.

  1. Click Create a rule.
  2. Enter a name for the rule.
  3. Select the severity for the rule.
  4. Enter the rule description.
  5. Click in the Type Rule here textbox to start building the rule. The Indicators are displayed.
  6. Select the required indicator from the list, in our example IP. You may need to scroll down to view the whole list of available indicators.
  7. Tap the spacebar once to view the available options. In this example the mathematical operator “=” & the condition “contains” are displayed.
  8. Select the “=” operator.
    Tap the spacebar once to view the available options. The logical operators “And” & “Or” are displayed. Select as required.
  9. Tap the spacebar once to view the available options. The Indicator list is displayed. Start typing or select Port from displayed list.
  10. Tap the spacebar once to view the available options. Select “=” from the available options.
  11. Type 80 and tap the spacebar once to insert a space. The value is then added to the preview. Further options are displayed in the drop-down if you want to enter more conditions.
  12. If you do not want to set further conditions, click Save on the upper right corner. The rule is saved and added to the rules list.

Example Rule 2

Process Name = teams.exe AND Port = 80

Explanation
When you want to find all such instances where hosts are running Teams.exe and utilizing port 80 for communication to remote host, you can build and apply above rule.

Example Rule 3

( Parent Name = svchost.exe AND Process Name = powershell.exe ) AND ( Process Command Line contains .start. OR Process Command Line contains .add.)

Explanation
Remote attackers frequently use the valid Windows system processes on a compromised host to spread to lateral hosts so that they are not detected. The compromised host could also be running some program or file that would start some rogue process or add an instruction/command to the configuration files so that the malicious file is executed on next startup.
When you want to lookup all instances where Windows System Process called Service Host (SVCHOST.exe) is running along with Powershell and process command contains some string starting with “start” or “add” then you can build and apply the above rule.

Example Rule 4

( Grand Parent Name = msiexec.exe AND Parent Name = cmd.exe AND ) AND ( Process Name = iexplorer.exe OR Process Name = reg.exe ) AND ( Registry Value contains REGISTRYSOFTWAREMicrosoftWindowsCurrentVersionRun OR Registry Value contains REGISTRYSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun )

Explanation
Check if “cmd.exe” process has launched child processes i.e “iexplorer.exe” OR “reg.exe” and has used .start. OR .add. in process command line and has done registry activity which contains value as “REGISTRYSOFTWAREMicrosoftWindowsCurrentVersionRun” OR “REGISTRYSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun”. Also, the cmd.exe process must have been launched by “msiexec.exe” (Parent process of cmd.exe).

Types of Rules

The following two types of Rules are present.
• System
• Custom
The system rules are predefined by Seqrite Labs team. You can activate, deactivate, or delete the system rules.

Custom rules are rules created by the user. You can edit, copy, activate, deactivate, or delete the custom rules.

Was this page helpful?