Правила послідовності

<?xml version="1.0" encoding="utf-8"?>

<rule>

  <definition>

    <sequence count="2" maxSpan="1m">

      <detection>

        <definition>

          <process>

            <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad" />

          </process>

          <operations>

            <operation type="Detection">

              <condition component="InspectDetection" property="RuleName" condition="contains" value="Rule 01"/>

            </operation>

          </operations>

        </definition>

      </detection>

      <detection>

        <definition>

          <process>

            <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad" />

          </process>

          <operations>

            <operation type="Detection">

              <operator type="and">

                <condition component="InspectDetection" property="RuleName" condition="contains" value="Rule 02"/>

                <condition component="InspectDetection" property="RuleCategory" condition="is" value="Custom category"/>

                <condition component="InspectDetection" property="RuleSeverity" condition="is" value="Threat"/>

              </operator>

            </operation>

          </operations>

        </definition>

      </detection>

      <aggregateOn>

        <property name="Computer"/>

        <property name="Process"/>

        <property name="ParentProcess"/>

      </aggregateOn>

    </sequence>

  </definition>

  <description>

    <name>Notepad triggered sequence of detections</name>

    <category>

      Default

    </category>

  </description>

  <actions>

    <action name="ReportIncident"/>

  </actions>

</rule>