Contents x
    Detection & Response Rules
    • 01 Sep 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Detection & Response Rules

    • Updated on 01 Sep 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Format

    Permissions

    There are three "sub-categories" within detection and response rules contained in Hive.

    • dr-general pertains to rules that your organization has created and/or controls.
    • dr-managed pertains to rules that you can use for detection, however are managed or curated by another party (i.e. Soteria rules).
    • dr-service is a protected namespace, and users will only ever have metadata permissions.

    dr-general

    • dr.list
    • dr.set
    • dr.del

    dr-managed

    • dr.list.managed
    • dr.set.managed
    • dr.del.managed

    dr-service

    • dr.list or dr.list.managed (metadata only)
    • dr.set or dr.set.managed (metadata only)

    Command-Line Usage

    usage: limacharlie hive [-h] [-k KEY] [-d DATA] [-pk PARTITIONKEY] [--etag ETAG] [--expiry EXPIRY] [--enabled ENABLED] [--tags TAGS] action hive_name

positional arguments:
  action                the action to take, one of: list, list_mtd, get, get_mtd, set, update, remove
  hive_name             the hive name

options:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     the name of the key.
  -d DATA, --data DATA  file containing the JSON data for the record, or "-" for stdin.
  -pk PARTITIONKEY, --partition-key PARTITIONKEY 
                        the partition key to use instead of the default OID.
  --etag ETAG           the optional previous etag expected for transactions.
  --expiry EXPIRY       a millisecond epoch timestamp when the record should expire.
  --enabled ENABLED     whether the record is enabled or disabled.
  --tags TAGS           comma separated list of tags.

    Usage

    Example

    {
  "detect": {
    "event": "WEL",
    "op": "and",
    "rules": [
      {
        "op": "is",
        "path": "event/EVENT/System/Channel",
        "value": "Microsoft-Windows-Windows Defender/Operational"
      },
      {
        "op": "is",
        "path": "event/EVENT/System/EventID",
        "value": "1006"
      }
    ]
  },
  "respond": [
    {
      "action": "report",
      "name": "windows-defender-malware-detected"
    }
  ]
}
    Was this article helpful?
    What's Next