Detection & Response Rules
- 01 Sep 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
Detection & Response Rules
- Updated on 01 Sep 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Format
Permissions
There are three "sub-categories" within detection and response rules contained in Hive.
dr-generalpertains to rules that your organization has created and/or controls.dr-managedpertains to rules that you can use for detection, however are managed or curated by another party (i.e. Soteria rules).dr-serviceis a protected namespace, and users will only ever have metadata permissions.
dr-general
dr.listdr.setdr.del
dr-managed
dr.list.manageddr.set.manageddr.del.managed
dr-service
dr.listordr.list.managed(metadata only)dr.setordr.set.managed(metadata only)
Command-Line Usage
usage: limacharlie hive [-h] [-k KEY] [-d DATA] [-pk PARTITIONKEY] [--etag ETAG] [--expiry EXPIRY] [--enabled ENABLED] [--tags TAGS] action hive_name
positional arguments:
action the action to take, one of: list, list_mtd, get, get_mtd, set, update, remove
hive_name the hive name
options:
-h, --help show this help message and exit
-k KEY, --key KEY the name of the key.
-d DATA, --data DATA file containing the JSON data for the record, or "-" for stdin.
-pk PARTITIONKEY, --partition-key PARTITIONKEY
the partition key to use instead of the default OID.
--etag ETAG the optional previous etag expected for transactions.
--expiry EXPIRY a millisecond epoch timestamp when the record should expire.
--enabled ENABLED whether the record is enabled or disabled.
--tags TAGS comma separated list of tags.
Usage
Example
{
"detect": {
"event": "WEL",
"op": "and",
"rules": [
{
"op": "is",
"path": "event/EVENT/System/Channel",
"value": "Microsoft-Windows-Windows Defender/Operational"
},
{
"op": "is",
"path": "event/EVENT/System/EventID",
"value": "1006"
}
]
},
"respond": [
{
"action": "report",
"name": "windows-defender-malware-detected"
}
]
}
Was this article helpful?