Creating a rule

Print Friendly, PDF & Email
    1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
    2. Click Create Rule.
    3. In the Rule Name section, enter a name for the rule.
    4. Select the severity of the alert that would be generated by this rule, whether High, Medium Low, or Informative.
    5. Enter the description for the rule in the designated text box.
    6. Select Tactics from the list. Selected tactics appear in the box. Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. Example: TA0001, Initial Access means the adversary is trying to get into your network.
    7. Select Techniques of the tactics from the list. Selected techniques appear in the box. When the alert is generated due to the tactics, on the Alert page, in details, you can view list of tactics with link navigating to https://attack.mitre.org/tactics/ for more information.
    8. In the Create Detection Rule section, click View All Indicators to view the available indicators that you can use to build the detection rule. You can build a rule using the options available for process, file, network, registry, and Windows Event Id indicators.
    9. In text box below Enter Rule Conditions, and enter the indicator that you want to use for building the rule. The options change dynamically as per the letters you enter. Browse from the listed entries and select the appropriate indicator to build the rule.
    10. Enter the mathematical operator that you want to use. For example, you may want to search for the process name Teams.exe. Accordingly, you can use the = sign and type teams.exe.
    11. Use the appropriate Logical operator AND if you want to pass another argument to the rule query.
    12. Enter Root Cause Analysis Description.
    13. Click Proceed. The Advanced Options window appears.
    14. Select Process Level from the list. This is an optional field.
    15. Select Alert Level from the list. This is an optional field.
    16. Select Join Column from the list.
    17. Select the platform (Windows, Linux, macOS) to which you want to apply this rule by tagging it accordingly. This ensures the rule is tailored for specific platforms.
    18. Click Validate & Save.
  • Note: The rule is saved and applied immediately. Whenever the conditions specified in the rule are met on any host, a corresponding alert is generated on the XDR console.

Deleting a rule

Was this page helpful?