Custom Detection Rule from two different event sources

I am trying to create a custom, multi-vector detection rule that leverages two different event sources but can’t figure out how to do it via the rule creation interface. I also have not found any R7 KB that details how it’s done. An example of this kind of rule is R7’s native “Low Cost VPN Authentication Followed By Inbox Forwarding Rule Creation”.

Thanks,

Craig

Hey Craig,

currently Multi Vector Detections are not supported for Custom Rules, those can only be created by our Threat Intelligence team for built in rules.

We don’t have a timeline on when Custom Multi Vector detections will be available for customers to leverage at the moment.

David

Thanks for the fast reply, David. Helps a lot. Since there is not a current timeline for this - has it already been submitted as a feature request?

Craig

Its planned work, so in short yes there have been feature requests and its something we want to build, it just hasn’t been prioritized yet.

David

You could accomplish something similar using InsightConnect or your own API scripting.

You have a few trigger options.

You can trigger from a detection rule itself, but this does not allow you to write back to an investigation or alert with the details of what the automation did.

You can trigger from an Alert or you can trigger from an investigation. Both allow you to make a record within the UI of IDR to showcase what the automation results were.

Once you decide that, your next step is to create a Global Artifact.

You need to define the schema. It should be an array of objects.

Probably you will want Impacted User (Data Type String), Alert Rule 1 (Boolean), Alert Rule 2(Boolean), Enabled (Boolean), Date

Now when your detection/alert/investigation fires it sends the payload to InsightConnect.

Your logic roughly would look like this:

InsightConnect will look the user up in the global artifact list. Does the user exist is question 1. If the user doesn’t exist, it will create a new entry in the Global Artifact with this user, and mark either rule 1 or rule 2 as true, also adding a date and time.

If the user does already exist it means that either rule one or rule 2 is already marked as true.
Do a time comparison to see if the time it was last marked as true is within your acceptable time frame. If yes, mark the second field as true, and go to whatever it is you want it to do.

If it is out of the time frame you were thinking of, it could mark the other field as false, update the current field as true, and then add a newly updated time.

That is really rough logic, but the concept is sound, and I do have customers that employ this in their environment today.

1 Like