Detection Rules

  • Updated
In this article:

    Detection Rules are defined as conditional logic applied to all ingested logs. Resolution Intelligence® generates a security signal when a single case matched over a given period of time that is defined in a rule.

    With Chronicle detection, you can use more advanced rules, create your own or customize the rules to detect the threats in your IT infrastructure. The rules engine incorporates widely used detection languages globally, YARA - L. Resolution Intelligence enables you tag rules based on MITRE tactics & techniques, log source type, rule confidence and severity.

    For example, configuring a rule that detects an unusual login from different locations at unusual time (12 AM to 3 AM local time).

    Detection rules allows you to define the compliance and regulatory policies of your organization in order to scale your business growth at enterprise level and improve the relationships with other security compliant organizations.

    Configuring Detection Rules

    User Permissions required : A Creator from these categories such as Domain, Organization, and Tenant can create rules.

    To create a Rule,

    1. Navigate to Configurations --> Chronicle CMS at the left navigational bar.
    2. Click Detection Rules tile.
    3. On the Detection Rules listing page, click +Add Rules from the top right corner of the screen.
    4. From the new Rule page, enter Rule Name, and Description(Optional).
    5. Define the rule syntax in the Rule Editor.
    6. Select Rule Type from the following list
      • Real-time: a live instance
      • Scheduled: fixed at specific time period
    7. Add Tags for the following fields.
      • Tactic 
      • Vulnerability
      • Confidence
      • Technique
      • Malware
      • Severity
      • DataSource
      • Product/Vendor
      • Tool
      • Logsource Type
      • Threat Actor
      • Custom
      • * Company
      • False Positive Scenario -  For every behavior there are few scenarios the detection would be legitimate. So we would keep that details here and recommend to user to baseline the expected behavior using reference lists.
      • Check Box left to Subject from Native Signal - This option helps you apply subject as static values for some detection rules, and for some rules that are intended to only convert native signal from devices like EDR, and antivirus where you can not apply subject as static behavior. In such cases, leverage external subject from native signal checkbox to pickup MITRE details from UDM event in chronicle while transforming signal.
      • Check Box left to Mitre from Native Signal - This option helps you apply Tactic & Techniques as static values for some detection rules, and for some rules that are intended to only convert native signals from devices like EDR, and antivirus where you can not apply tactic and technique as static behavior. In such cases, leverage external native MITRE checkbox to pickup MITRE details from UDM event in chronicle while transforming signal.
    8. Click Save at the top right corner
      Once the changes are saved, Check Rule Syntax button is enabled.
    9. Click Check Rule Syntax to verify the syntax of the rule created in the Rule Editor.
    10. Once the rule syntax is verified successfully, Actions button will be enabled at the top right corner of screen.
    11. Click Actions. A dropdown list appears.
    12. From the dropdown list, click Send for Review. The rule will be sent to Publisher for review and the rule state is moved to Under Review.

    Note: Creator does not have access to view Detection Rule

    Note: * denotes mandatory field

    Publishing Detection Rules

    User Permissions Required: A Publisher from these categories such as Domain, Organization, and Tenant can publish rules.

    To publish a Rule,

    1. Navigate to Configurations --> Chronicle CMS at the left navigational bar.
    2. Click the Detection Rules tile.
    3. In the Detection Rules listing page, click a rule that is Under Review state.
    4. Verify the Rule syntax and click Actions in the top right corner of the screen.
    5. From the dropdown list, click Approve if the rule syntax is appropriate. The rule will be moved to Reviewed state once it is approved. Click Reject, if the rule is not appropriate. The rule will be sent back to the Creator for changes and moved to the Draft state.

    Adding a Content Pack to a Detection Rule

    To publish a rule, you must add at least one content pack that you have subscribed to. The publisher can add packs to any rule in reviewed or published or publishing state.

    To add a content pack,

    1. On the Detection Rules listing page, click a rule that is in the Reviewed state.
    2. Click Actions --> Publish in the top right corner of the screen. A popup message appears on the screen: "Please select at least one pack."
    3. Now navigate back to the Chronicle Content Management page and click the Content Packs tile.
    4. Click on any pack that you would like to add a rule that you have configured.
    5. From the Packs page, select a published or reviewed rule from the dropdown menu in the Rules.
    6. Click Save in the top right corner of the screen.
    7. Click on the Rule that you have added to the pack. It will be navigated to that Rules page.
    8. Click Actions --> Publish in the top right corner of the screen. The rule will be moved to the Publishing state. 
    9. To move a rule to the Published state, you must publish the pack that you have assigned to that rule.

    In addition to configuring, you can always simulate, clone, version, disable, find and filter rules to manage your detection rules effectively.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.