Skip to main content

Custom detection rules

Use the Custom detection rules page to define rules that mark specific behavior from your environment as a valid detection, and generate corresponding incidents in The Incidents page.

Custom detection rules - grid
  1. Click the Add rule button to create a new custom detection rule. For more details, refer to Creating Custom detection rules.

  2. Select the global check box or the individual rule check boxes to select them. After selecting one or more rules, you can manage them in the following ways:

    • To enable or disable the rules, click the Change status drop-down menu and choose the desired action.

    • To delete the rules, click the More actions drop-down menu and select Delete.

  3. Use these action buttons to customize your grid:

    • Click the Reset view button to reset the grid to the default settings in terms of displayed columns and filters. This option also clears existing filters and their values.

    • Click the show_or_hide_filters.pngShow or hide filters button to show or hide the filters bar.

    • Click the open_settings.pngOpen Settings button to add or remove columns from the grid.

  4. Click a rule's name to enter edit mode and update the rule. Click a rule in the list to expand its Details panel, view the rule details, update it or delete it. For more details, refer to Detection rule Details panel.

Creating Custom detection rules

To create custom detection rules, follow these steps:

  1. In the Custom detection rules page, click the Add rule button.

    You will be redirected to the Add rule page.

  2. Configure the settings for Step 1: Detection rule definition:

    1. Under Consider as detection every, select the type of entity you want the rule to apply to:

      • Process

      • File

      • Connection

      • Registry

    2. Under Matching the following, create one or more rules by configuring the following fields:

      • Criteria - Select the component, entity, setting, or value you want to check against the value entered under the Value field.

        Note

        The available options vary depending on the entity selected in the Consider as detection every field.

      • Operator - Select the required relationship between the value selected under Criteria and the one entered under Value. The following options are available:

        • Is - The value under Criteria matches the exact value entered in the Value field.

        • Contains - The value under Criteria contains the string entered in the Value field (for example, file extensions).

          Important

          Use wildcards with caution when creating a detection rule, as it raises the risk of making it too generic. Generic rules may cause an overflow of false-positive incidents.

        • Is one of - The value under Criteria matches any of the values entered in the Value field (an OR operation is performed between the values).

          You must press Enter after each value, to complete the action.

      • Value - Enter a string you want to compare the value under Criteria with.

      You can use the Add new button to add new criteria to the rule.

      Important

      The rule triggers incidents only when all criteria is met (an AND operation is performed between the added criteria).

    3. Click Next:

      EDR_creating_custom_detection_rule_step1.png
  3. Configure the settings under Step 2: Detection rule settings:

    1. Configure the settings under the Rule configuration section:

      1. Type in a descriptive name for the rule under Rule name.

      2. Under Description type in a short description of what the rule does.

      3. Select the Rule tags you want to apply to the rule.

        Rule tags can help you identify, group, and sort for rules as needed. If you do not have a tag that suits your rule, you can click the Create tag button, and add one.

      4. Select the On-access scanning checkbox to activate the rule immediately after creation.

        Enabling this option generates alerts whenever the conditions listed in the rule are met for any specific endpoint.

        You can view the alerts in the Incidents > Search page by using the other.rule_id field in your query.

    2. Configure the settings under the Rule outcome section:

      1. Under Generate alert with severity level select the severity level you want to assign to all the alerts created as a result of triggering this rule.

      2. Select the Generate security incident box to automatically generate an incident when this rule is triggered.

        Note

        This setting is required for enabling automatic actions.

    3. Click Next.

      EDR_creating_custom_detection_rule_step2.png
  4. Configure the settings under Step 3: Detection rule targets:

    1. Under the Rule targets section, select one of the options available for the Apply rule on targets from setting:

      • Select your company - The rule applies on all the endpoints managed by your company.

      • Endpoint tags - Select from the list of endpoint tags available for your company. The rule will apply only to the endpoints that have the selected tags applied. These tags are created and managed in Network > Tags Management.

      When you select the Endpoint tags option, you can choose the tags from the list in the left-side menu, and your current selection of tags will appear in the right-side menu.

      rule_targets_c_319967_en.png
    2. Click Next.

  5. Configure the settings under Step 4: Automatic actions:

    1. Select the Enable automatic actions box to activate automatic actions. These will apply on the targeted entity every time the rule is triggered.

    2. Select the actions you want to enable for this rule by selecting them from the list below:

      detection_rule_step4_90805_en.png

      The following automatic actions are available:

      • Isolate

      • Collect investigation package

      • Add to Sandbox

      • Antimalware scan

      • Quarantine

      • Risk scan

      • Kill process

        Important

        Depending on your platform, your company's license, and what modules are installed on your endpoints, specific actions might not be available.

      You can further customize certain actions by clicking on the Edit settings button.

    3. Click Save.

      The new rule is now available in the Custom detection rules grid.

Managing custom exclusion rules

Change the status of rules

To enable or disable a rule, follow these steps:

  1. Select the checkbox next to the rule you want to modify.

    Note

    You can select multiple rules.

  2. Click the Change status button on top of the grid.

  3. Click on the action you want to take.

custom_exclusion_rules_change_status90854_en.png

Alternatively, you can click the corresponding menu item on the right side of the grid and select the action you want to take.

Delete a rule

To delete a rule, follow these steps:

  1. Select the checkbox next to the rule you want to modify.

    Note

    You can select multiple rules.

  2. Click the Delete button on top of the grid.

  3. Click Delete again to confirm the request.

You can select multiple rules.

Edit a rule

To edit a rule, click on the rule name under the Rule name column. Alternatively you can click the Edit rule button from the Rule details side panel.

For information on how to configure a rue, refer to Creating custom exclusion ruleCreating custom exclusion rules.

Detection rule Details panel

The rule Details panel contains information on the selected rule, rule criteria, rule tags, rule outcome, and options to update it or delete it.

Details panel
  1. The View alerts and View incidents options redirect you to the Search and the Incidents section, respectively. Prefilled queries run automatically to retrieve all the alerts or incidents triggered by the rule.

  2. The Edit rule button brings up the rule definition window, where you can change the rule settings.