Back

Rule Builder

How rules can help

Rules are only applicable to endpoint telemetry data sources. Rules when formulated in context to your Infrastructure environments help in the following:

  • Trigger alerts and increase security awareness related to critical events on hosts.
  • Help in forecasting and mitigating future attacks on network systems.
  • Establish a forensic trail.
  • Help investigators and incident responders arrive at meaningful conclusions by distinguishing noise from ongoing events and the real malicious activity on hosts.

In Seqrite HawkkHunt, you can create rules based on exclusive activity by some process, host or network host, or a combination of multiple events across hosts. After you create and save a rule, it is automatically pushed to the HawkkHunt portal and the data received from multiple endpoints is analyzed as per the conditions in the rules. If the conditions specified in that rule are met, then an alert is generated and sent across to the HawkkHunt console. The administrator can then assign these alerts to the IR, or the IR can assign the cases to self or other IR to find out the root cause, and range of infection, and carry out any mitigation activity as required.

The following table lists the indicators that you can use to build rules with appropriate operators and values.

Process Name Process Path Process Command Line Parent Name Host Name
Command Line Length Is Browser Process File Download Option Is Process Signed user_name
proc_sha2 proc_md5 Parent Path Parent Command Line Parent_Bin_Is_Signed
Grand Parent Name Grand Parent Path Grand Parent Command Line Grand_Parent_Bin_Is_Signed cp_event_type
cp_given_access cp_desired_access cp_target_proc_name File Name File Path
SHA2 MD5 file_path file_attr file_new_path
file_md5 file_type mod_md5 mod_sha2 mod_path
ehp_type ehp_md5 ehp_sha2 ehp_path action
Protocol Port IP URL nw_method
nw_domain_name nw_dns_ips nw_conn_type Registry Key Registry Value
Registry Value Data Windows Event Id Field of Interest

You can use mathematical logical operators such as as AND, and OR  for the rules.

Practices to be followed while writing/adding rules

  • Select the indicators and operators from the dropdown list suggestions, avoid writing rules on your own to avoid formatting errors.
  • Provide a space after every action like, selection of indicator, operator, providing values, brackets and at the end of the rule.

Example 1

IP = 4.4.4.4 and And Port = 80

Explanation

Let us write a rule to detect if the IP address is 4.4.4.4 and Port is 80.

  1. Click Create a rule.
  2. Enter a name for the rule.
  3. Select the severity for the rule.
  4. Enter the rule description.
  5. Click in the Type Rule here textbox to start building the rule. The Indicators are displayed.
  6. Select the required indicator from the list, in our example IP. You may need to scroll down to view the whole list of available indicators.
  7. Tap the spacebar once to view the available options. In this example the mathematical operator “=” & the condition “contains” are displayed.
  8. Select the “=” operator.
    Tap the spacebar once to view the available options. The logical operators “And” & “Or” are displayed. Select as required.
  9. Tap the spacebar once to view the available options. The Indicator list is displayed. Start typing or select Port from displayed list.
  10. Tap the spacebar once to view the available options. Select “=” from the available options.
  11. Type 80 and tap the spacebar once to insert a space. The value is then added to the preview. Further options are displayed in the drop-down if you want to enter more conditions.
  12. If you do not want to set further conditions, click Save on the upper right corner. The rule is saved and added to the rules list.

Example Rule 2

Process Name = teams.exe AND Port = 80

Explanation
When you want to find all such instances where hosts are running Teams.exe and utilizing port 80 for communication to remote host, you can build and apply above rule.

Example Rule 3

( Parent Name = svchost.exe AND Process Name = powershell.exe ) AND ( Process Command Line contains .start. OR Process Command Line contains .add.)

Explanation
Remote attackers frequently use the valid Windows system processes on a compromised host to spread to lateral hosts so that they are not detected. The compromised host could also be running some program or file that would start some rogue process or add an instruction/command to the configuration files so that the malicious file is executed on next startup.
When you want to lookup all instances where Windows System Process called Service Host (SVCHOST.exe) is running along with Powershell and process command contains some string starting with “start” or “add” then you can build and apply the above rule.

Example Rule 4

( Grand Parent Name = msiexec.exe AND Parent Name = cmd.exe AND ) AND ( Process Name = iexplorer.exe OR Process Name = reg.exe ) AND ( Registry Value contains \REGISTRY\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run OR Registry Value contains \REGISTRY\SOFTWARE\Wow6432Node\Microsoft\\Windows\CurrentVersion\Run )

Explanation
Check if “cmd.exe” process has launched child processes i.e “iexplorer.exe” OR “reg.exe” and has used .start. OR .add. in process command line and has done registry activity which contains value as “\REGISTRY\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run” OR “\REGISTRY\SOFTWARE\Wow6432Node\Microsoft\\Windows\CurrentVersion\Run”. Also, the cmd.exe process must have been launched by “msiexec.exe” (Parent process of cmd.exe).

Types of Rules

The following two types of Rules are present.
• System
• Custom
The system rules are predefined by Seqrite Labs team. You can activate, deactivate, or delete the system rules.

Custom rules are rules created by the user. You can edit, copy, activate, deactivate, or delete the custom rules.

Creating a rule

    1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
    2. Click Create Rule.
    3. In the Rule Name section, enter a name for the rule.
    4. Select the severity of the alert that would be generated by this rule, whether High, Medium Low, or Informative.
    5. Enter the description for the rule in the designated text box.
    6. Select Tactics from the list. Selected tactics appear in the box. Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. Example: TA0001, Initial Access means the adversary is trying to get into your network.
    7. Select Techniques of the tactics from the list. Selected techniques appear in the box. When the alert is generated due to the tactics, on the Alert page, in details, you can view list of tactics with link navigating to https://attack.mitre.org/tactics/ for more information.
    8. In the Create Detection Rule section, click View All Indicators to view the available indicators that you can use to build the detection rule. You can build a rule using the options available for process, file, network, registry, and Windows Event Id indicators.
    9. In text box below Enter Rule Conditions, and enter the indicator that you want to use for building the rule. The options change dynamically as per the letters you enter. Browse from the listed entries and select the appropriate indicator to build the rule.
    10. Enter the mathematical operator that you want to use. For example, you may want to search for the process name Teams.exe. Accordingly, you can use the = sign and type teams.exe.
    11. Use the appropriate Logical operator AND if you want to pass another argument to the rule query.
    12. Enter Root Cause Analysis Description.
    13. Click Proceed. The Advanced Options window appears.
    14. Select Process Level from the list. This is an optional field.
    15. Select Alert Level from the list. This is an optional field.
    16. Select Join Column from the list.
    17. Click Validate & Save.
  • Note: The rule is saved and applied immediately. Whenever the conditions specified in the rule are met on any host, a corresponding alert is generated on the HawkkHunt console.

Deleting a rule

    1. Go to Dashboard > Detection Rules/Rule Builder. Existing rules if any are listed.
  2. Click on the rule that you want to delete. The corresponding icons for Edit, Copy, and Delete (Trash) are displayed.
  3. Click the Trash icon.
  4. Click Delete on the confirmation dialog box. The rule is deleted.

Copying a rule

  1. Go to Dashboard > Detection Rules/Rule Builder. Existing rules if any are listed.
  2. Click on the rule that you want to copy. The corresponding icons for Edit, Copy, and Delete (Trash) are displayed on the extreme right side.
  3. Click the Copy icon.
  4. The description for the rule is displayed. Change the name of the rule as required.
  5. Make any changes if required to the severity, description and conditions.
  6. Click  Save on the upper right corner. The rule is saved and added to the list of rules.

Editing a rule

    1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
      Click on the rule that you want to edit. The corresponding icons for Edit, Copy, and Delete (Trash) are displayed.
    2. Click the Edit icon. The rule description fields are displayed.
    3. Make the changes as required to the severity, description, and conditions as required.
    4. Click Save on the upper right corner.  The rule is saved.

Viewing rules

You can view the rules created earlier by the administrator or the IRs. You can sort these rules by severity, timestamp. You can also use the filter to view the rules as per criterion. You can choose to view the rules created by you, or by others as required.

  1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
  2. To filter rules as per your requirements, enter the criterion in the filter box, and add more conditions as required. The displayed rule list is automatically updated as per the set criteria.
  3. To sort the rules by severity, click the corresponding icon at the top of the severity column. The displayed list is sorted accordingly.
  4. To sort the rules by Timestamp, click the corresponding icon at the top of the Timestamp column. The displayed list is sorted accordingly as per the most recent or the oldest.
  5. To sort the list as per the type of rules or status, select one of the options, All, Custom, System, Activated, or Deactivated.
  6. To view rules created exclusively by you, in the Created by drop-down list, select Me. The displayed list is sorted By default, the list displays rules created by all.
  7. To view rules created by all others, in the Created by drop-down list, select All. The displayed list is sorted accordingly.
  8. To view rules created by any specific user, in the Created by drop-down list, select the name of the user. The displayed list is sorted.