Extended incident rules
Threshold rules
Threshold rules enable you to create incidents when a defined number of detections occur in a given time period.
Example:
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <threshold count="3" interval="900s"> <detection> <definition> <process> <operator type="or"> <condition component="FileItem" property="FileName" condition="is" value="notepad.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe"/> </operator> </process> <operations> <operation type="Detection"> <operator type="or"> <condition component="InspectDetection" property="RuleName" condition="contains" value="PB000"/> <condition component="InspectDetection" property="RuleName" condition="contains" value="PB001"/> </operator> </operation> </operations> </definition> </detection> <cardinality> <property name="computerName" value="1" /> <property name="ruleName" value="2" /> </cardinality> </threshold> </definition> <actions> <action name="ReportIncident" aggregateOn="TimeAndComputers" aggregationParameter="8h"/> </actions> <description> <name>threshold rule</name> <category>default</category> </description> </rule> |
Things to notice in the rule example above:
1.This rule is defined with a threshold which has two parameters:
a.count—the number of occurrences for the action to trigger.
b.interval—tied to the cardinality. For the count to increase, the cardinality condition has to be met within this time frame.
2.The first condition for the count to increase is a detection from a process where the filename is either notepad.exe or cmd.exe.
3.The second condition is InspectDetection, where the triggered rule name contains either PB000 or PB001.
4.The third condition is cardinality. In the example above, for the count to increase, the detection must occur on one unique computer and in two unique rules.
Possible values for cardinality are:
a.computerName
b.ruleName
5.If all three conditions are met, the count is increased.
6.The only available action is ReportIncident.
Sequence rules
Sequence rules enable you to create incidents when detections occur in a specific sequence.
Example:
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <sequence count="2" maxSpan="1m"> <detection> <definition> <process> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad" /> </process> <operations> <operation type="Detection"> <condition component="InspectDetection" property="RuleName" condition="contains" value="Rule 01"/> </operation> </operations> </definition> </detection> <detection> <definition> <process> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="notepad" /> </process> <operations> <operation type="Detection"> <operator type="and"> <condition component="InspectDetection" property="RuleName" condition="contains" value="Rule 02"/> <condition component="InspectDetection" property="RuleCategory" condition="is" value="Custom category"/> <condition component="InspectDetection" property="RuleSeverity" condition="is" value="Threat"/> </operator> </operation> </operations> </definition> </detection> <aggregateOn> <property name="Computer"/> <property name="Process"/> <property name="ParentProcess"/> </aggregateOn> </sequence> </definition> <description> <name>Notepad triggered sequence of detections</name> <category> Default </category> </description> <actions> <action name="ReportIncident"/> </actions> </rule> |
Things to notice in the rule example above:
1.The sequence tag specifies how many times the entire sequence has to match for the incident to be created and the maximum time between the first detection and the last detection in the sequence.
2.In the example above, for the sequence rule to trigger, Rule 01 and Rule 02 have to trigger a detection in that order twice in the span of 1 minute.
3.The aggregateOn tag specifies the conditions for which rule triggers should be grouped together.
Possible values are:
oComputer
oProcess
oParentProcess
4.The only available action is ReportIncident.