Hello!
I’ve been building out custom detection rules for an event source that reports severity in the event data. For what is technically one detection rule, I have to create 4 separate rules in order to create investigations of differing severity based on the severity reported in the log. It works but it’s messy and time consuming.
Ex:
Detection Name, Rule Action, Rule Priority
“Custom Detection (Low)”, Tracks notable events, Low Severity
“Custom Detection (Medium)”, Creates Investigation, Medium priority
“Custom Detection (High)”, Create Investigation, High priority
“Custom Detection (Critical)”, Creates Investigation, Critical priority
The Need
Dynamic rule action/priority adjustment based on custom fields from event sources would allow for more context-aware and efficient threat detection.
where(severity >= 60 AND severity < 80) → Creates Investigation, High Priority
where(severity >= 80 AND severity <= 100) → Creates Investigation, Critical Priority
and so on…
I like this idea, I could certainly see the use case being helpful and more efficient from a triage perspective.
For enhancement requests we typically ask that these be submitted via our Support Portal from within the product, (the forum is great for discussion) in order to track the request formally and have an enhancement request tied to your Account so that you can be aware if it gets prioritized for development.
Currently there are no plans to add this functionality in the near term.
Whilst what you are describing with the thresholded priority isn’t exactly available, one way you could work around this would be to create a Single catchall rule and then create Rule Exception for the various criteria, such as when the severity is <60 Create an Investigation with a Medium Priority, and so on
The only limitation here would be that the rule name would be the same
I’ve done this using exceptions (like David said) on my IDS alerts. One rule that caught the detections using a default severity, and then exceptions that changed the severity based on the snort rule or severity level in the log item.
I have an alert for hash reputation, my email has the log in it so I can see the level.
From the email:
“hash_reputation” : {
“reputation” : “Suspicious”,
“threat_level” : “Moderate”,
“reliability” : “Low”,
“first_analyzed_time” : “2024-10-07T20:17:41.000Z”,
“engine_count” : 38,
“engine_match” : 1,
“engine_percent” : 2.63,
“classification” : {
“family_name” : “Generic”,
“type” : “Malware”,
“platform” : “Win64”
}