Creating IOA rules from queries

Expand all | Collapse all

You can create IOA rules based on the built queries.

To create an IOA rule:

1. In the main menu, go to MONITORING & REPORTING → THREAT HUNTING.
2. Enter a query in the query search box.
3. Click the Create IOA rule button under the search box.

   The New rule window opens.

4. Specify the following details:
   • Name

     The name of the rule that you specify when creating the rule. This is a mandatory field. The name appears in event details. You can use the name in queries for threat hunting.

   • State

     Use of the rule in events database scans:

     • Enabled (the rule is used).
     • Disabled (the rule is not used).
   • Severity

     An estimate of the probable impact of the event on assets of the organization as specified by the user when creating the rule:

     • Low
     • Medium
     • High
   • Confidence

     The level of confidence depending on the likelihood of false alarms as defined by the user when creating the rule:

     • Low
     • Medium
     • High
   • Action

     The action that is applied to the event which triggered the rule:

     • Mark event and create alert
     • Only mark event
   • Description

     Any details related to the rule as specified when creating the rule.

   • Recommendations

     Recommended actions as specified when creating the rule.

   • Possible false positives

     Description of possible false positives as specified when creating the rule.

   • Query

     Displays the query that is used in the rule. This is a mandatory field. You can click the Edit query button to change the search conditions. The query opens in the Threat hunting section.

5. Click the Create button.

An IOA rule with the searched conditions is created. You can check your IOA rules in the Custom rules section. If an IOA rule is triggered by an event, the name of the rule is displayed in the event details.