Seqrite XDR 3.0

Generatore di regole

Stampa Friendly, PDF e Email

1. Panoramica

. Generatore di regole in Seqrite XDR allows you to define custom detection logic that evaluates
all events generated across the platform. Every incoming event—including process activity, file events,
network communications, registry operations, and system events—is analyzed against the rules you create.

If an event matches the defined rule conditions, an alert is automatically generated and displayed on the
Avvisi page. Within the alert details, you can view the Nome regola that triggered it.

Rules help you:

  • Generate actionable alerts for specific behaviors
  • Increase visibility across your infrastructure
  • Forecast and mitigate attacks
  • Maintain a forensic trail for investigations
  • Distinguish normal events from malicious activity

Once created, rules are immediately applied in real-time and influence alert generation across your environment.

2. How Rules Work

  • Rules evaluate all event types.
  • You can build rules using process, file, network, registry, and system indicators.
  • Rules may be simple (single condition) or complex (multi-condition with AND/OR logic).

Alert Flow

  1. An event is generated.
  2. event is evaluated against all active rules.
  3. If matched → alert generated.
  4. alert appears on the Alerts page with the triggering rule name.
  5. Admins/IR can assign alerts and investigate further.

3. Types of Rules

3.1 System Rules

  • Predefined by Seqrite Labs.
  • Automatically loaded for every new tenant.
  • Generate alerts like custom rules.

restrizioni:

  • Cannot be edited
  • Cannot be copied
  • Cannot be deleted

Permesso: Activation / deactivation only.

3.2 Custom Rules

Created by users based on their environment-specific requirements.

È possibile

  • Crea
  • Modifica
  • Copia
  • Elimina
  • Activate / Deactivate

Deactivation is useful for rules generating false positives or noise.

Autorizzazioni di accesso

Ruolo Can Create/Edit Rules?
Super Admin Si
Responsabile SOC Si
Security Analyst Non
Admin Non
Read-Only User Non

4. Whitelisted Rules

Whitelisting allows you to suppress alerts for known safe behaviors while keeping the original detection rule active.

When to Whitelist?

  • Repeated alerts for validated internal processes
  • Marchi IPs or domains used internally
  • Legitimate command-line patterns

You can whitelist based on:

  • Nome processo
  • Percorso del processo
  • Riga di comando del processo
  • Network Protocol, Port, IP
  • Altri indicatori

Create a Whitelist Rule

Method 1 — From Rule Builder

  1. Seleziona Regole della Whitelist from the Rule Builder menu.
  2. Clicchi Crea regola.
  3. Specify desired indicators and conditions.
  4. Save the whitelist rule.

Method 2 — From Alerts Page

  1. Open the alert.
  2. Clicchi Aggiungi alla lista bianca nel riquadro di destra.
  3. Configure whitelist fields.
  4. Salva.

5. Rule Builder Interface & Filters

Filtri disponibili

  • Tutti
  • Nome regola
  • Timestamp
  • Creato da

Selezione della piattaforma

You can specify the target OS:

  • Windows
  • macOS
  • Linux

MITRE Mapping

Each rule can be mapped to related MITRE Tactics e tecniche. se details appear in
generated alerts.

6. Indicators Supported

Process Indicators

Process Name, Process Path, Command Line, Parent Name, Command Line Length, Is Browser Process,
Is Process Signed, User Name, SHA2, MD5, Parent/Grandparent hashes & paths, Access permissions, cp_event_type, etc.

File Indicators

File Name, File Path, SHA2, MD5, File Type, File Attributes, New Path, Modified Hashes, etc.

Indicatori di rete

Protocol, Port, IP, URL, Domain Name, DNS IPs, Method, Connection Type.

Registry Indicators

Registry Key, Registry Value, Registry Value Data.

System Fields

Windows Event ID, Field of Interest.

7. Supported Operators

Operatori logici

  • E
  • OR

Operatori di confronto

  • =
  • contiene

8. Migliori Pratiche

  • Always use the dropdown suggestions for indicators and operators.
  • Add a space after each indicator, operator, value, and bracket.
  • Use parentheses for complex rule structures.
  • Avoid manually typing entire expressions to prevent formatting errors.

9. Creating a Detection Rule

  1. Clicchi Crea regola.
  2. Invio:
    • Nome regola
    • Gravità
    • Description
    • MITRE Tactic & Technique
    • Platform (Windows/macOS/Linux)
  3. Select indicators, operators, and values from dropdowns.
  4. Add AND/OR logic as required.
  5. Preview the rule.
  6. Salva la regola.

10. Example Rules

Example 1: Suspicious External Communication

IP = 4.4.4.4 AND Port = 80

Example 2: Process Using Network Port

Process Name = teams.exe AND Port = 80

Example 3: Suspicious PowerShell Activity

( Parent Name = svchost.exe AND Process Name = powershell.exe )
AND 
( Process Command Line contains start OR Process Command Line contains add )

Example 4: MSI → CMD → Suspicious Child Process + Persistence

( Grand Parent Name = msiexec.exe AND Parent Name = cmd.exe ) 
AND 
( Process Name = iexplorer.exe OR Process Name = reg.exe ) 
AND 
( Registry Value contains REGISTRYSOFTWAREMicrosoftWindowsCurrentVersionRun 
  OR 
  Registry Value contains REGISTRYSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun )
questa pagina è stata utile?
Si Non