A Publisher can change versions, simulate detections and disable rules that are added by the Creator.
Note: Disabling and creating future versions are applicable for Published rules only.
Simulating Detections
You can simulate the detections within the last 14 days period.
To simulate a detection rule,
- Navigate to Configurations --> Chronicle CMS at left menu.
- Click Detection Rules tile.
- From the Rules listing page, select a rule that would like to simulate.
- Click Simulate Detections at top right corner.
A pop appears. - Select a Tenant from the dropdown.
- Click Submit.
Note: You can select a tenant if you are from domain, and organization.
Versioning a Rule
A Publisher can disable rules that are added by the Creator.
Note: Disabling and changing versions are applicable for Published rules only.
- Navigate to Configurations --> Chronicle CMS at left menu.
- Click Detection Rules tile.
- From the Rules listing page, select a published rule that would like to create a future version.
- Click New Version at top right of screen.
- In the New Versioning page, update the details that required necessary changes.
- Click Save.
Once the future version # of a rule is created, the old versioned rule will be moved to disabled state automatically. You can always enable the old versioned rule if required.
Note 1: Version Number is not editable. Version is automatically updated once you click New Version of a rule.
Note 2: Suppose a rule is published at domain, users at organization, and tenant level can not create a new version of a rule.
Cloning a Rule
Cloning of an existing rule helps you quickly create a same rule with same version number. Ensure that Rule name and Description must be different from the original rule while cloning it.
To clone a Rule,
- Navigate to Configurations --> Chronicle CMS at left menu.
- Click Detection Rules tile.
- From the Rules listing page, select a rule that you would like to clone.
- In the Rule page, click Clone at the top right of screen.
- Edit the Rule name and Description.
- Click Save at the top right of screen.
Once the changes are saved, Check Rule Syntax button is enabled. - Click Check Rule Syntax to verify the syntax of the rule created in the Rule Editor.
- Once the rule syntax is verified successfully, Actions button will be enabled at the top right corner of screen.
- Click Actions. A dropdown list appears.
- From the dropdown list, click Send for Review. The rule will be sent to Publisher for review and the rule state is moved to Under Review.
Disabling a Rule
To disable a rule,
- Navigate to Configurations --> Chronicle CMS at left menu.
- Click Detection Rules tile.
- From the rules listing page, select a rule that you would like to disable.
- Click Actions in the top right corner of the screen.
- From the dropdown menu, click Disable.
The selected rule will be disabled and hidden from backstory and CMS.
If you would like to enable a disabled rule, follow the below steps.
- Navigate to Configurations --> Chronicle CMS at left menu.
- Click Detection Rules tile.
- From the Rules listing page, select a Published Pack associated with the rule that you would like to activate.
- From the Published pack page, click on a rule that is Disabled previously.
- Click Actions in the top corner of the rules listing page.
- From the dropdown menu, click Enable.
Selected rule will be enabled in backstory and in CMS.
Finding Detection Rules
The free text search filters the detection rules by text in the Rule Name and/or Company Name and/or Status and/or Company Type. There is no Search button.
Filtering Detection Rules
The detection rules can be filtered using the following entities.
| Filter |
Description |
| Tags |
Keywords that are added to a rule. This includes tactics, techniques, malwares etc.info associated with a rule |
|
Status |
Current state of the rule (Draft/under review/reviewed/publishing/ published) |
|
Version |
The revision number of a rule |
|
Company |
An organization that the user belongs to |
|
Assigned To |
The user who is assigned to a rule |
|
Rule Name |
Name of a rule |
|
Rule Tags |
The keywords that are added to a rule |
|
Rule Type |
A type that a rule belongs to |
|
Frequency |
An interval at which the rule is scheduled |
|
Comments |
Notes added by the users |
|
Created On |
The Date and Time on which the rule is created for the first time |
|
Created By |
The person who creates the rule |
|
Description |
The detailed information given in a description field when you create a rule |
|
Rule Editor |
The user who modifies the rule. |
|
Last Updated By |
The user who updated a rule recently. |
|
Last Updated On |
The time at which the last update is done to a rule |
|
Latest Version |
The recent version of a rule. |
|
Pack (Pack List) |
Name of a pack that the rule is filtered. A list of packs is shown in the filter. For example, MDR_Pack_1, and MDR_Pack_3. |
|
Tool (Tool List) |
Name of a tool that the rule is filtered. A list of tools is shown in the filter. For example, Ping, Reg and Remcos. |
|
Actor (Actor List) |
Name of a threat actor that the rule is filtered. A list of threat actors is shown in the filter. For example, Iron Ritual, and Moses Staff. |
|
Custom (Custom List) |
Customized keywords that are added to a rule |
|
Tactic (Tactic List) |
Name of a tactic that the rule is filtered. A list of tactics is shown in the filter. For example, Exfiltration, Command and Control. |
|
Malware (Malware List) |
Type of malware that the rule is filtered. A list of malware is shown in the filter. For example, Canopy, Entropy. |
|
Product (Product List) |
Name of a product that the rule is filtered. A list of products is shown in the filter. For example, Firewall, EDR etc. |
|
Technique (Technique List) |
Name of a technique that the rule is filtered. A list of techniques is shown in the filter. For example, Automated exfiltration, Data Encoding. |
|
Log Source (Log Source List) |
Rules can be filtered based on the Log source. A list of log sources is shown in the filter. For example, DHCP, DNS. |
|
Data Source (Data Source List) |
Rules can be filtered based on the Data source. A list of data sources is shown in the filter. For example, Command, and Network traffic. |
|
Vulnerability (Vulnerability List) |
Rules can be filtered based on Vulnerability. A list of vulnerability names is shown in the filter. |
You can add multiple filters and click Apply to filter your chosen entities.
You may remove specific filters by clicking and then clicking the X to the right of the filter. To reset the Rules page to its default filters, click Filter --> Clear Filters.
Sorting Detection Rules
The rules feed lists all detection rules (Draft, Under Review, Reviewed, Publishing and Published) in the listing page after creating or publishing them. You can sort the detection rules based on the following list of options.
| Item | Description |
|---|---|
|
Last Modified On |
Date and Time of last change to a rule |
|
Version |
A unique number is added whenever there are major changes to a rule |
|
Name |
A name that is given to a rule |
|
Most Used |
Mostly used rule |
|
Created On |
Date and Time when a rule is created the first time |
|
Company Name |
Name of a company from which the user is logged on |
|
Status |
The state in which the rule is present (Draft, Under Review, Reviewed, Publishing and Published) |
To rearrange rules in descending or ascending order, click or
To view the left side menu, click three dots at the top right corner of the screen and select Toggle Sidebar.
For sharing a URL, click three dots at the top right corner of screen and select Share URL.
Comments
0 comments
Please sign in to leave a comment.