Simulating Detections
User Permissions required
- Publisher
You can simulate the detections within the last 14 days period.
Note 1: Simulate detections is applicable for the draft, approved, under review, published, failed, ready to publish, and disabled states.
To simulate a detection rule,
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- From the Rules listing page, select a rule that would like to simulate.
- Click Simulate Detections at the top right corner.
A pop appears. - Select a Tenant from the dropdown.
- Click Submit.
Note 2: You can select a tenant if you are from a domain and an organization.
Versioning a Rule
User Permissions required
- Publisher
Note 1: Creating new versions is applicable to the rules which are in published, or disabled states only. New version button is enabled only if the latest version of a rule is in published or disabled states.
To create a new version,
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- From the Rules listing page, select a published rule that would like to create a future version.
- Click New Version at the top right of the screen.
- In the New Versioning page, update the details that required necessary changes.
- Click Save.
Once the future version # of a rule is created and published, the rule with the previous version will be moved to the disabled state automatically. You can always enable the old version if required.
Note 3: The version Number is not editable. The version is automatically updated once you click the New Version of a rule.
Note 4: Suppose a rule is published at a domain, users at organization, and tenant level can not create a new version of a rule.
Cloning a Rule
User Permissions required
- Publisher
Cloning an existing rule helps you quickly create the same rule with the same version number. Ensure that the Rule name must be different from the original rule while cloning it.
Note: Cloning a rule is applicable to the published rules only.
To clone a Rule,
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- Select a rule from the Rules listing page that you would like to clone.
- In the Rule page, click Clone at the top right of the screen.
- Edit the Rule name and Description.
- Click Save at the top right of the screen.
Once the changes are saved, Check Rule Syntax button is enabled. - Click Check Rule Syntax to verify the syntax of the rule created in the Rule Editor.
- Once the rule syntax is verified successfully, the Actions button will be enabled at the top right corner of the screen.
- Click Actions. A dropdown list appears.
- From the dropdown list, click Send for Review. The rule will be sent to Publisher for review and the rule state is moved to Under Review.
Disabling a Rule
User Permissions required
- Publisher
Note: Disabling a rule is applicable to published rules only.
To disable a rule,
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- Select a rule from the rules listing page that you would like to disable.
- Click Actions in the top right corner of the screen.
- From the dropdown menu, click Disable.
The selected rule will be disabled from the backstory and CMS.
If you would like to enable a disabled rule, follow the below steps.
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- From the Rules listing page, select a Published Pack associated with the rule that you would like to activate.
- From the Published pack page, click on a rule that is Disabled previously.
- Click Actions in the top corner of the rules listing page.
- From the dropdown menu, click Enable.
Selected rules will be enabled in the backstory and in CMS.
Editing Detection Rules
User Permissions required
- Publisher
- Creator
Note: Editing a rule is applicable to the draft, under review, approved, failed, and ready to publish states.
To edit a rule,
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- Click the rule or check box next to the rule that you would like to edit.
- Click Actions in the top right corner of the screen.
- From the dropdown menu, click Edit.
- Modify/change the details of a rule and click Save at the top right corner.
The rule will be moved to the Draft state.
Deleting Detection Rules
User Permissions required
- Publisher
- Creator
Note: Deleting a rule is applicable to the draft, under review, approved, failed, and ready to publish states.
To delete a rule,
- Navigate to Configurations --> Chronicle CMS at the left menu.
- Click the Detection Rules tile.
- Select a rule from the rules listing page that you would like to delete.
- Click Actions in the top right corner of the screen.
- From the dropdown menu, click Delete.
The rule will be removed from the CMS.
Finding Detection Rules
The free text search filters the detection rules by text in the Rule Name and/or Company Name and/or Status and/or Company Type. There is no Search button.
Filtering Detection Rules
The detection rules can be filtered using the following entities.
Filter |
Description |
Tags |
Keywords that are added to a rule. This includes tactics, techniques, malware etc.info associated with a rule |
Status |
The current state of the rule (draft/under review/approved/ready to publish/published)/disabled/failed) |
Version |
The revision number of a rule |
Company |
An organization that the user belongs to |
Assigned To |
The user who is assigned to a rule |
Rule Name |
Name of a rule |
Rule Tags |
The keywords that are added to a rule |
Rule Type |
A type that a rule belongs to |
Frequency |
An interval at which the rule is scheduled |
Comments |
Notes added by the users |
Created On |
The Date and Time on which the rule is created for the first time |
Created By |
The person who creates the rule |
Description |
The detailed information is given in a description field when you create a rule |
Rule Editor |
The user who modifies the rule. |
Last Updated By |
The user who updated a rule recently. |
Last Updated On |
The time at which the last update is done to a rule |
Latest Version |
The recent version of a rule. |
Pack (Pack List) |
Name of a pack that the rule is filtered. A list of packs is shown in the filter. For example, MDR_Pack_1, and MDR_Pack_3. |
Tool (Tool List) |
Name of a tool that the rule is filtered. A list of tools is shown in the filter. For example, Ping, Reg, and Remcos. |
Actor (Actor List) |
Name of a threat actor that the rule is filtered. A list of threat actors is shown in the filter. For example, Iron Ritual, and Moses Staff. |
Custom (Custom List) |
Customized keywords that are added to a rule |
Tactic (Tactic List) |
Name of a tactic that the rule is filtered. A list of tactics is shown in the filter. For example, Exfiltration, Command, and Control. |
Malware (Malware List) |
Type of malware that the rule is filtered. A list of malware is shown in the filter. For example, Canopy, Entropy. |
Product (Product List) |
Name of a product that the rule is filtered. A list of products is shown in the filter. For example, Firewall, EDR etc. |
Technique (Technique List) |
Name of a technique that the rule is filtered. A list of techniques is shown in the filter. For example, Automated exfiltration, Data Encoding. |
Log Source (Log Source List) |
Rules can be filtered based on the Log source. A list of log sources is shown in the filter. For example, DHCP, DNS. |
Data Source (Data Source List) |
Rules can be filtered based on the Data source. A list of data sources is shown in the filter. For example, Command, and Network traffic. |
Vulnerability (Vulnerability List) |
Rules can be filtered based on Vulnerability. A list of vulnerability names is shown in the filter. |
You can add multiple filters and click Apply to filter your chosen entities.
You may remove specific filters by clicking and then clicking the X to the right of the filter. To reset the Rules page to its default filters, click Filter --> Clear Filters.
Sorting Detection Rules
The rules feed lists all detection rules (draft/under review/approved/ready to publish/published)/disabled/failed) on the listing page after creating or publishing them. You can sort the detection rules based on the following list of options.
Item | Description |
---|---|
Last Modified On |
Date and Time of last change to a rule |
Version |
A unique number is added whenever there are major changes to a rule |
Name |
A name that is given to a rule |
Most Used |
Mostly used rule |
Created On |
Date and Time when a rule is created the first time |
Company Name |
Name of a company from which the user is logged on |
Status |
The state in which the rule is present (draft/under review/approved/ready to publish/published)/disabled/failed) |
To rearrange rules in descending or ascending order, click or
To view the left side menu, click three dots at the top right corner of the screen and select Toggle Sidebar.
For sharing a URL, click three dots at the top right corner of the screen and select Share URL.
Comments
0 comments
Please sign in to leave a comment.