Rules
Information
Main task - automatic detection of suspicious activity and generation of incidents for response.
Detected threats:
- communications with malicious infrastructure
- working with malicious objects
- any activities related to confirmed indicators from the IoC database
Rule operation principle:
-
Information sources:
- operational data (network activity logs, system events)
- threat database (current IoC database of the Threat Intelligence module)
-
Matching data fields to IoC types
-
Correlation mechanism:
- schedule: continuous monitoring according to established schedule (e.g., every 5 minutes)
- search: executing search queries in operational data
- matching: automatic comparison of values from logs with corresponding IoC types
- reaction: generating an incident when a match is detected
Example
Task RULE - TI - Domain - Threat Activity Detected:
The search query is built on obtaining information from the network communication logging index and compares the query with the IoC database. If a match is found between destination.ip fields and IoC values, an incident is created.
Result
The created incident contains detailed information about the interaction: username, host, IoC and detailed information about it.
