Sequence rules
Sequence rules
Sequence rules enable you to create incidents when detections occur in a specific sequence.
Example:
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <sequence count="2" maxSpan="1m"> <detection> <definition> <process> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad" /> </process> <operations> <operation type="Detection"> <condition component="InspectDetection" property="RuleName" condition="contains" value="Rule 01"/> </operation> </operations> </definition> </detection> <detection> <definition> <process> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad" /> </process> <operations> <operation type="Detection"> <operator type="and"> <condition component="InspectDetection" property="RuleName" condition="contains" value="Rule 02"/> <condition component="InspectDetection" property="RuleCategory" condition="is" value="Custom category"/> <condition component="InspectDetection" property="RuleSeverity" condition="is" value="Threat"/> </operator> </operation> </operations> </definition> </detection> <aggregateOn> <property name="Computer"/> <property name="Process"/> <property name="ParentProcess"/> </aggregateOn> </sequence> </definition> <description> <name>Notepad triggered sequence of detections</name> <category> Default </category> </description> <actions> <action name="ReportIncident"/> </actions> </rule> |
Things to notice in the rule example above:
1.The sequence tag specifies how many times the entire sequence has to match for the incident to be created and the maximum time between the first detection and the last detection in the sequence.
2.In the example above, for the sequence rule to trigger, Rule 01 and Rule 02 have to trigger a detection in that order twice in the span of 1 minute.
3.The aggregateOn tag specifies the conditions for which rule triggers should be grouped together.
Possible values are:
oComputer
oProcess
oParentProcess
4.The only available action is ReportIncident.