Custom Rules

Custom Rules allows you to save queries as a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to generate Infinity XDRClosed Extended Detection & Response/XPRClosed Extended Prevention & Response incidents when a Threat Hunting event matches the rule.

To create a custom rule:

  1. Go to Investigate > Threat Hunting.

  2. Run a query and click the icon from the top right corner of the page.

  3. In the Rule name field, enter a rule name.

  4. In the Attack name field, enter a name. For example, Emotet.

    The system prefixes XDR.CUSTOM to the attack name, for example XDR.CUSTOM.Emotet. This is useful in finding insights and incidents generated by a custom rule.

  5. From the Confidence field, select a confidence level for the detection.

  6. From the Severity field, select a severity level for the incident.

  7. In the Description field, enter a description for the rule.

  8. (Optional) In the Comment field, enter comment, if any.

  9. To generate incidents if the Threat Hunting events match the custom rule, toggle Status to On. Otherwise, the custom rule is only saved and does not generate incidents upon matching activity.

  10. Click Add.

  11. To view all custom rules created, go to Policy > Custom Rules.

    Column Name

    Description

    Status

    Indicates whether the custom rule is enabled or not.

    Rule Name

    Name of the rule.

    Confidence

    Confidence level of the detection.

    Severity

    Severity of the detection.

    Attack Name

    Name of the attack.

    Description

    Description of the rule.

    Creator

    Name of the person that created the rule.

    Creation Date

    Date and time when the rule was created.

    Date Last Edited

    Date on which the rule was last modified.

    Comment

    Comment about the rule.

    To export the rules to an excel in CSV format, click Export All (CSV).

Managing Custom Rules

To edit a custom rule:

  1. Go to Policy > Custom rules.

  2. Select the rule you want to edit and click Edit in Threat Hunting.

    The system redirects you to the Threat Hunting page that shows the custom rule and the query.

  3. Edit the custom rule and click Update.

To delete a rule:

  1. Select the rule you want to delete and click Delete.

  2. Click Yes in the confirmation dialog.

Running a Custom Rule

To manually run the Custom Rule:

  1. Go to Policy > Custom rules.

  2. Select the rule and click Run in Threat Hunting.

    The system redirects you to the Threat Hunting page that shows the custom rule and the query.