Seqrite XDR 3.0

Rule Builder

Print Friendly, PDF & Email

Overview

The Rule Builder in Seqrite XDR allows you to define custom detection logic that evaluates
all events generated across the platform. Every incoming event—including process activity, file events,
network communications, registry operations, and system events—is analyzed against the rules you create.

If an event matches the defined rule conditions, an alert is automatically generated and displayed on the
Alerts page. Within the alert details, you can view the Rule Name that triggered it.

Rules help you:

  • Generate actionable alerts for specific behaviors
  • Increase visibility across your infrastructure
  • Forecast and mitigate attacks
  • Maintain a forensic trail for investigations
  • Distinguish normal events from malicious activity

Once created, rules are immediately applied in real-time and influence alert generation across your environment.

How Rules Work

  • Rules evaluate all event types.
  • You can build rules using process, file, network, registry, and system indicators.
  • Rules may be simple (single condition) or complex (multi-condition with AND/OR logic).

Alert Flow

  1. An event is generated.
  2. The event is evaluated against all active rules.
  3. If matched → alert generated.
  4. The alert appears on the Alerts page with the triggering rule name.
  5. Admins/IR can assign alerts and investigate further.

Types of Rules

System Rules

  • Predefined by Seqrite Labs.
  • Automatically loaded for every new tenant.
  • Generate alerts like custom rules.

Restrictions:

  • Cannot be edited
  • Cannot be copied
  • Cannot be deleted

Allowed: Activation / deactivation only.

Custom Rules

Created by users based on their environment-specific requirements.

You can:

  • Create
  • Edit
  • Copy
  • Delete
  • Activate / Deactivate

Deactivation is useful for rules generating false positives or noise.

Access Permissions

Role Can Create/Edit Rules?
Super Admin Yes
SOC Manager Yes
Security Analyst No
Admin No
Read-Only User No

<h2 Whitelisted Rules

Whitelisting allows you to suppress alerts for known safe behaviors while keeping the original detection rule active.

When to Whitelist?

  • Repeated alerts for validated internal processes
  • Trusted IPs or domains used internally
  • Legitimate command-line patterns

You can whitelist based on:

  • Process Name
  • Process Path
  • Process Command Line
  • Network Protocol, Port, IP
  • Other indicators

Create a Whitelist Rule

Method 1 — From Rule Builder

  1. Select Whitelist Rules from the Rule Builder menu.
  2. Click Create Rule.
  3. Specify desired indicators and conditions.
  4. Save the whitelist rule.

Method 2 — From Alerts Page

  1. Open the alert.
  2. Click Add to Whitelist in the right pane.
  3. Configure whitelist fields.
  4. Save.

Rule Builder Interface & Filters

Available Filters

  • All
  • Rule Name
  • Timestamp
  • Indicators
  • Created By

Platform Selection

You can specify the target OS:

  • Windows
  • macOS
  • Linux

MITRE Mapping

Each rule can be mapped to related MITRE Tactics and Techniques. These details appear in
generated alerts.

Indicators Supported

Process Indicators

Process Name, Process Path, Command Line, Parent Name, Command Line Length, Is Browser Process,
Is Process Signed, User Name, SHA2, MD5, Parent/Grandparent hashes & paths, Access permissions, cp_event_type, etc.

File Indicators

File Name, File Path, SHA2, MD5, File Type, File Attributes, New Path, Modified Hashes, etc.

Network Indicators

Protocol, Port, IP, URL, Domain Name, DNS IPs, Method, Connection Type.

Registry Indicators

Registry Key, Registry Value, Registry Value Data.

System Fields

Windows Event ID, Field of Interest.

Supported Operators

Logical Operators

  • AND
  • OR

Comparison Operators

  • =
  • contains

Best Practices

  • Always use the dropdown suggestions for indicators and operators.
  • Add a space after each indicator, operator, value, and bracket.
  • Use parentheses for complex rule structures.
  • Avoid manually typing entire expressions to prevent formatting errors.

Creating a Detection Rule

  1. Click Create Rule.
  2. Enter:
    • Rule Name
    • Severity
    • Description
    • MITRE Tactic & Technique
    • Platform (Windows/macOS/Linux)
  3. Select indicators, operators, and values from dropdowns.
  4. Add AND/OR logic as required.
  5. Preview the rule.
  6. Save the rule.

Example Rules

Example 1: Suspicious External Communication

IP = 4.4.4.4 AND Port = 80

Example 2: Process Using Network Port

Process Name = teams.exe AND Port = 80

Example 3: Suspicious PowerShell Activity

( Parent Name = svchost.exe AND Process Name = powershell.exe )
AND 
( Process Command Line contains start OR Process Command Line contains add )

Example 4: MSI → CMD → Suspicious Child Process + Persistence

( Grand Parent Name = msiexec.exe AND Parent Name = cmd.exe ) 
AND 
( Process Name = iexplorer.exe OR Process Name = reg.exe ) 
AND 
( Registry Value contains REGISTRYSOFTWAREMicrosoftWindowsCurrentVersionRun 
  OR 
  Registry Value contains REGISTRYSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun )
Was this page helpful?
Yes No