Managing Detection Rules

  • Updated

    Simulating Detections

    User Permissions required

    • Publisher

    You can simulate the detections within the last 14 days period.

    Note 1: Simulate detections is applicable for the draft, approved, under review, published, failed, ready to publish, and disabled states.

    To simulate a detection rule,

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. From the Rules listing page, select a rule that would like to simulate.
    4. Click Simulate Detections at the top right corner.
      A pop appears.
    5. Select a Tenant from the dropdown.
    6. Click Submit.

    Note 2: You can select a tenant if you are from a domain and an organization.

    Versioning a Rule

    User Permissions required

    • Publisher

    Note 1: Creating new versions is applicable to the rules which are in published, or disabled states only. New version button is enabled only if the latest version of a rule is in published or disabled states.

    To create a new version,

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. From the Rules listing page, select a published rule that would like to create a future version.
    4. Click New Version at the top right of the screen.
    5. In the New Versioning page, update the details that required necessary changes.
    6. Click Save.

    Once the future version # of a rule is created and published, the rule with the previous version will be moved to the disabled state automatically. You can always enable the old version if required.

    Note 3: The version Number is not editable. The version is automatically updated once you click the New Version of a rule.
    Note 4: Suppose a rule is published at a domain, users at organization, and tenant level can not create a new version of a rule.

    Cloning a Rule

    User Permissions required

    • Publisher

    Cloning an existing rule helps you quickly create the same rule with the same version number. Ensure that the Rule name must be different from the original rule while cloning it.

    Note: Cloning a rule is applicable to the published rules only.

    To clone a Rule,

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. Select a rule from the Rules listing page that you would like to clone.
    4. In the Rule page, click Clone at the top right of the screen.
    5. Edit the Rule name and Description.
    6. Click Save at the top right of the screen.
      Once the changes are saved, Check Rule Syntax button is enabled.
    7. Click Check Rule Syntax to verify the syntax of the rule created in the Rule Editor.
    8. Once the rule syntax is verified successfully, the Actions button will be enabled at the top right corner of the screen.
    9. Click Actions. A dropdown list appears.
    10. From the dropdown list, click Send for Review. The rule will be sent to Publisher for review and the rule state is moved to Under Review.

    Disabling a Rule

    User Permissions required

    • Publisher

    Note: Disabling a rule is applicable to published rules only.

    To disable a rule,

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. Select a rule from the rules listing page that you would like to disable.
    4. Click Actions in the top right corner of the screen.
    5. From the dropdown menu, click Disable.
      The selected rule will be disabled from the backstory and CMS.

    If you would like to enable a disabled rule, follow the below steps.

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. From the Rules listing page, select a Published Pack associated with the rule that you would like to activate.
    4. From the Published pack page, click on a rule that is Disabled previously.
    5. Click Actions in the top corner of the rules listing page.
    6. From the dropdown menu, click Enable.
      Selected rules will be enabled in the backstory and in CMS.

    Editing Detection Rules

    User Permissions required

    • Publisher
    • Creator

    Note: Editing a rule is applicable to the draft, under review, approved, failed, and ready to publish states.

    To edit a rule,

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. Click the rule or check box next to the rule that you would like to edit.
    4. Click Actions in the top right corner of the screen.
    5. From the dropdown menu, click Edit.
    6. Modify/change the details of a rule and click Save at the top right corner.
      The rule will be moved to the Draft state.

    Deleting Detection Rules

    User Permissions required

    • Publisher
    • Creator

    Note: Deleting a rule is applicable to the draft, under review, approved, failed, and ready to publish states.

    To delete a rule,

    1. Navigate to Configurations --> Chronicle CMS at the left menu.
    2. Click the Detection Rules tile.
    3. Select a rule from the rules listing page that you would like to delete.
    4. Click Actions in the top right corner of the screen.
    5. From the dropdown menu, click Delete.
      The rule will be removed from the CMS.

    Finding Detection Rules

    The free text search filters the detection rules by text in the Rule Name and/or Company Name and/or Status and/or Company Type. There is no Search button.

    Filtering Detection Rules

    The detection rules can be filtered using the following entities.

    Filter

    Description
    Tags

    Keywords that are added to a rule. This includes tactics, techniques, malware etc.info associated with a rule

    Status

    The current state of the rule (draft/under review/approved/ready to publish/published)/disabled/failed)

    Version

    The revision number of a rule

    Company

    An organization that the user belongs to

    Assigned To

    The user who is assigned to a rule

    Rule Name

    Name of a rule

    Rule Tags

    The keywords that are added to a rule

    Rule Type

    A type that a rule belongs to

    Frequency

    An interval at which the rule is scheduled

    Comments

    Notes added by the users

    Created On

    The Date and Time on which the rule is created for the first time

    Created By

    The person who creates the rule

    Description

    The detailed information is given in a description field when you create a rule

    Rule Editor

    The user who modifies the rule.

    Last Updated By

    The user who updated a rule recently.

    Last Updated On

    The time at which the last update is done to a rule

    Latest Version

    The recent version of a rule.

    Pack (Pack List)

    Name of a pack that the rule is filtered. A list of packs is shown in the filter. For example, MDR_Pack_1, and MDR_Pack_3.

    Tool (Tool List)

    Name of a tool that the rule is filtered. A list of tools is shown in the filter. For example, Ping, Reg, and Remcos.

    Actor (Actor List)

    Name of a threat actor that the rule is filtered. A list of threat actors is shown in the filter. For example, Iron Ritual, and Moses Staff.

    Custom (Custom List)

    Customized keywords that are added to a rule

    Tactic (Tactic List)

    Name of a tactic that the rule is filtered. A list of tactics is shown in the filter. For example, Exfiltration, Command, and Control.

    Malware (Malware List)

    Type of malware that the rule is filtered. A list of malware is shown in the filter. For example, Canopy, Entropy.

    Product (Product List)

    Name of a product that the rule is filtered. A list of products is shown in the filter. For example, Firewall, EDR etc.

    Technique (Technique List)

    Name of a technique that the rule is filtered. A list of techniques is shown in the filter. For example, Automated exfiltration, Data Encoding.

    Log Source (Log Source List)

    Rules can be filtered based on the Log source. A list of log sources is shown in the filter. For example, DHCP, DNS.

    Data Source (Data Source List)

    Rules can be filtered based on the Data source. A list of data sources is shown in the filter. For example, Command, and Network traffic.

    Vulnerability (Vulnerability List)

    Rules can be filtered based on Vulnerability. A list of vulnerability names is shown in the filter.

    You can add multiple filters and click Apply to filter your chosen entities. 

    You may remove specific filters by clicking Picture2.pngand then clicking the X to the right of the filter. To reset the Rules page to its default filters, click Filter --> Clear Filters.

    Sorting Detection Rules

    The rules feed lists all detection rules (draft/under review/approved/ready to publish/published)/disabled/failed) on the listing page after creating or publishing them. You can sort the detection rules based on the following list of options.

    Item Description

    Last Modified On

    Date and Time of last change to a rule

    Version

    A unique number is added whenever there are major changes to a rule

    Name

    A name that is given to a rule

    Most Used

    Mostly used rule

    Created On

    Date and Time when a rule is created the first time

    Company Name

    Name of a company from which the user is logged on

    Status

    The state in which the rule is present (draft/under review/approved/ready to publish/published)/disabled/failed)

    To rearrange rules in descending or ascending order, click Picture3.pngorPicture4.png

    To view the left side menu, click three dots at the top right corner of the screen and select Toggle Sidebar.

    For sharing a URL, click three dots at the top right corner of the screen and select Share URL.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.