Creating an investigation rule

Edit online

Create a rule that runs automatically on related threat investigation alerts in Case Management. During rule creation, you define the rule with a name and description and set the rule severity. Then you configure the rule by entering STIX or converting Sigma code to STIX. Configuration includes running the query to see sample results. You can also add MITRE ATT&CK mappings to the rule and any relevant notes about the rule that other users might need to understand.

About this task

You must be an administrator to complete this task.

This rule uses STIX only. At any time during rule creation, you can save the rule as a draft before you save it as a rule.

Procedure

  1. On the report menu bar, click Create rule.
  2. In the Create rule window, click the Investigation tile.
  3. Define the rule.
    1. Enter a unique name and description.
    2. Set the severity for the created alerts. The default is High.
    3. Click Next.
  4. Configure the rule by using one of the following methods.
    Method Steps
    Convert code from Sigma
    1. Click Convert from Sigma.
    2. In the Code conversion from Sigma window, enter the Sigma code and click Convert.
    You can edit only Sigma input. If you want to edit the generated STIX query directly, the queries become out of sync and the Sigma input is lost.
    Enter your query directly in the STIX field
    1. Enter your STIX query. Use square brackets to group your parameters together.
    2. Click Run query in Data Explorer, which opens Data Explorer in a separate browser tab.
    3. After you review the query in Data Explorer, close the browser tab and continue in Detection and Response Center.
    Use the visual query builder for guidance
    1. Set the Visual switch to On.
    2. Click Start a query.
    3. Configure each condition set as needed by including the observable, operator, and value for each one.
    4. When you are finished configuring the query, click Run query in Data Explorer, which opens Data Explorer in a separate browser tab.
    5. After you review the query in Data Explorer, close the browser tab and continue in Detection and Response Center.
  5. Optional: In the Supplement step, add information about the rule.
    1. Set the Rule status. The default is Enabled.
      If you disable a rule, it isn't triggered from an event or alert, nor is it included in the MITRE ATT&CK heat map calculations.
    2. Click the edit icon to add MITRE ATT&CK mappings. For more information, see Customizing MITRE mappings in search-based or investigation rules.
    3. Add notes for the rule.
    4. Click Next.
  6. In the Review step, review rule details and then click Save.

What to do next

To investigate details for a specific rule, select the rule name to open the rule details page. The rule details page contains sections for common rule attributes, test definitions, and source-specific rule attributes, such as the author of a Sigma community rule.
  1. To run the query as is to return the events or alerts from the query, or to run a STIX pattern for a Sigma community rule, click Run query in Data Explorer.
  2. To see more details about a Sigma community rule in GitHub, click Sigma community.