Skip to main content

Custom detection rules

Use the Custom detection rules page to define rules that mark specific behavior from your environment as a valid detection, and generate corresponding incidents in The Incidents page.

Partners can manage rules for other companies and can use the Company filter in the grid to view the rules created for each company. Customers can also see the rules Partners have applied on their company.

However, when switching to a new Partner, all custom rules created by the former Partner are disabled. The new Partner will not be able to view the rules applied by the former Partner.

Custom detection rules - grid

  1. Click the Add rule button to create a new custom detection rule. For more details, refer to Creating Custom detection rules.

  2. Select the global check box or the individual rule check boxes to select them. After selecting one or more rules, you can manage them in the following ways:

    • To enable or disable the rules, click the Change status drop-down menu and choose the desired action.

    • To delete the rules, click the More actions drop-down menu and select Delete.

  3. Use these action buttons to customize your grid:

    • Click the Reset view button to reset the grid to the default settings in terms of displayed columns and filters. This option also clears existing filters and their values.

    • Click the show_or_hide_filters.pngShow or hide filters button to show or hide the filters bar.

    • Click the open_settings.pngOpen Settings button to add or remove columns from the grid.

  4. Click a rule's name to enter edit mode and update the rule. Click a rule in the list to expand its Details panel, view the rule details, update it or delete it. For more details, refer to Detection rule Details panel.

Creating Custom detection rules

To create custom detection rules, follow these steps:

  1. In the Custom detection rules page, click the Add rule button.

    You will be redirected to the Add rule page.

  2. In the Detection rule definition section, select the type of element you want to include in the detection rule.

    Element types

    The element types are:

    • Process

    • File

    • Connection

    • Registry

  3. Select the matching criteria:

    Rule criteria

    1. Select one of the available criteria options.

    2. Select the type of relationship between the matching criteria and its value:

      • Is - matches the exact value entered in the value field.

      • Contains - matches all values that contain the string entered in the value field (for example, file extensions).

        Important

        Use wildcards with caution when creating a detection rule, as it raises the risk of making it too generic. Generic rules may cause an overflow of false-positive incidents.

      • Is one of - matches any of the values entered in the value field (an OR operation is performed between the values). You must press Enter after each value, to complete the action.

    3. Enter the specific value for each criteria.

  4. Use the Add new button to add new criteria to the rule.

    Note

    The rule triggers incidents only when all criteria is met (an AND operation is performed between the added criteria).

  5. In the Rule configuration section, add a rule name, a rule description, and rule-related tags.

    Rule tags can help you identify, group, and sort for rules as needed. If you do not have a tag that suits your rule, you can click the Create tag button, and add one.

    Rule configuration

  6. To activate the rule immediately after creation, select the On-access scanning checkbox.

    Enabling this option generates alerts whenever the pattern listed in the rule is detected on an endpoint.

  7. In the Rule outcome section, set the severity of the alerts triggered by this rule.

  8. Optionally, you can select the Generate security incident checkbox.

  9. Click Next.

  10. In the Rule targets window, select which endpoints the rule will scan. You can select the entire company or specific endpoint tags. These tags are created and managed in Network > Tags Management.

    When you select the Endpoint tags option, you can choose the tags from the list in the left-side menu, and your current selection of tags will appear in the right-side menu.

    Rule targets

  11. Click Save.

    The new rule is now available in the Custom detection rules grid.

Detection rule Details panel

The rule Details panel contains information on the selected rule, rule criteria, rule tags, rule outcome, and options to update it or delete it.

Details panel

  1. The View alerts and View incidents options redirect you to the Search and the Incidents section, respectively. Prefilled queries run automatically to retrieve all the alerts or incidents triggered by the rule.

  2. The Edit rule button brings up the rule definition window, where you can change the rule settings.

In this section: