MENU
      Contents x
      Detection & Response Rules
      • 01 Sep 2023
      • 1 Minute to read
      • Print
      • Dark
      Contents
        This documentation version is deprecated, please click here for the latest version.

      Detection & Response Rules

      • Updated on 01 Sep 2023
      • 1 Minute to read
      • Print
      • Dark
      Article summary

      Format

      Permissions

      There are three "sub-categories" within detection and response rules contained in Hive.

      • dr-general pertains to rules that your organization has created and/or controls.
      • dr-managed pertains to rules that you can use for detection, however are managed or curated by another party (i.e. Soteria rules).
      • dr-service is a protected namespace, and users will only ever have metadata permissions.

      dr-general

      • dr.list
      • dr.set
      • dr.del

      dr-managed

      • dr.list.managed
      • dr.set.managed
      • dr.del.managed

      dr-service

      • dr.list or dr.list.managed (metadata only)
      • dr.set or dr.set.managed (metadata only)

      Command-Line Usage

      usage: limacharlie hive [-h] [-k KEY] [-d DATA] [-pk PARTITIONKEY] [--etag ETAG] [--expiry EXPIRY] [--enabled ENABLED] [--tags TAGS] action hive_name

positional arguments:
  action                the action to take, one of: list, list_mtd, get, get_mtd, set, update, remove
  hive_name             the hive name

options:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     the name of the key.
  -d DATA, --data DATA  file containing the JSON data for the record, or "-" for stdin.
  -pk PARTITIONKEY, --partition-key PARTITIONKEY
                        the partition key to use instead of the default OID.
  --etag ETAG           the optional previous etag expected for transactions.
  --expiry EXPIRY       a millisecond epoch timestamp when the record should expire.
  --enabled ENABLED     whether the record is enabled or disabled.
  --tags TAGS           comma separated list of tags.
      Plain text

      Usage

      Example

      {
  "detect": {
    "event": "WEL",
    "op": "and",
    "rules": [
      {
        "op": "is",
        "path": "event/EVENT/System/Channel",
        "value": "Microsoft-Windows-Windows Defender/Operational"
      },
      {
        "op": "is",
        "path": "event/EVENT/System/EventID",
        "value": "1006"
      }
    ]
  },
  "respond": [
    {
      "action": "report",
      "name": "windows-defender-malware-detected"
    }
  ]
}
      JSON
      Was this article helpful?
      What's Next