Custom Alert Rules

Custom alert rules may be used to create alerts from normalized events in Secureworks® Taegis™ XDR.

Tip

The Secureworks Professional Services team is here to help you realize the full potential from your Taegis XDR investment if a higher level of support is desired. Our highly skilled consultants can help you deploy faster, optimize quicker, and accelerate your time to value. For more information, see Professional Services Overview.

Custom Alert Rule Manager

1. From the Taegis Menu, select Alerts → Rules. The Rules table displays.
2. Select the Custom Rules tab from above the Rules table. The table displays all of the current custom rules.

Custom Rules Manager

Create a Custom Rule

Create a Custom Rule

Tip

Use Advanced Search first to create the rule syntax that targets the desired events for the Rule Criteria field.

Custom Rules uses a different regex engine than Advanced Search. Some patterns are not supported in Custom Rules, including backreferences and conditional patterns.

1. From the right corner above the Rules table, select the Create Rule button. The Create Custom Rule Panel displays.

2. Enter an Advanced Search query into the Rule Criteria field.

   • Regular expressions are supported within the limitations of the high performance regex engine. See the FAQ "What are the regex limitations of Custom Rules?" for more information.

   • IPv4 CIDR notation is supported on IP fields with operators = and matches.

   • Glob patterns are not supported.

   • Custom Rules run queries against streaming data and Primitive Fields do not automatically get default values, which differs from data stored in the Taegis data lake and queried by Advanced Search. In Custom Rules, you can use the NULL operators to check if these Primitive Fields are set.

   Note

   The following characters have special meaning within regular expressions: . ^ $ * + - ? ( ) [ ] { } \ | /. For IP addresses, domain names, and other instances, take care to escape the characters with a backslash: 1\.1\.1\.1.
   To escape long sequences that contain multiple characters, enclose the whole string between \Q and \E so that the string is not evaluated for regex characters. For example, escaping this full string:
   \Q${jndi:ldap://log4shell-smb-21yg3cbuy21gbcy21gc321uc${lower:ten}.w.nessus.org/nessus}\E
   is equivalent to:
   \$\{jndi:ldap:\/\/log4shell\-smb\-21yg3cbuy21gbcy21gc321uc\$\{lower:ten\}\.w\.nessus\.org\/nessus\}

3. Add a Name, Mitre Attack Categories, and Description to the rule. These are used for the generated alert.

4. Select the desired severity for generated alerts.
5. Select Create Rule.

How to View Custom Alerts

Alerts generated by custom rules are displayed in the XDR Alert Triage Dashboard Alerts by Detector widget under the detector name Custom Alerts.

Custom Alerts

Tip

Not seeing matching alerts? Make sure you have the correct severity level selected at the top of the Alerts Triage Dashboard.

Remove Custom Alerts from Alert Triage Dashboard

You can remove custom alerts from the Alert Triage Dashboard view by selecting Include Options above the Alert Triage Dashboard and toggling the Custom Alerts option.

Toggle Custom Alerts

View Custom Rule Details and History

Select a rule name from the Custom Rules table to view its details and history.

View the Details of a Custom Rule

The Detail tab of the custom rule contains overview information for the rule with the criteria the rule matches on. If the rule has matched on and created alerts in the last seven days, the following display:

• Number of hits in the last seven days
• Last hit date
• Line graph visualizing the amount of hits

If there has been no activity in the last seven days, this section does not display.

View the Changelog of a Rule

The History tab of the custom rule contains a changelog of edits to the rule. Choose an audit log from the list on the left to view the diff in the right pane.

Archive and Restore a Custom Rule

Archive and Restore Custom Rules

When viewing a custom rule, you can archive the rule by selecting Archive and confirming the action. This disables the alert, marks it as archived, and removes it from the default view of the Custom Rules table.

To view archived rules, select the Showing Archived Rules toggle above the Custom Rules table.

When viewing an archived custom rule, you can restore the rule by selecting Restore and confirming the action. This restores the rule in a disabled state and returns it to the default view of the Custom Rules table. Select the toggle to enable the rule.

FAQ

How are custom rules supported in Taegis MDR?

You can create custom rules, using the Custom Rules feature within XDR, which alert you when specific criteria that you set are then detected. This feature gives your security team the flexibility to create rules specific to your environment and allow further customization of your internal capabilities. As these can vary greatly from customer to customer, our analysts are unable to monitor your custom rules. Therefore, if you implement custom rules, then you must have internal resources and processes to manage the corresponding alerts.

Can I use logical data types, such as domain, IP address, etc., in alert rules?

Yes, use logical data types to help match against data types represented across multiple fields in the schema. The only caveat is that rules can only match against a single schema type, but the logical data type will expand to the fields available within the individual schema.

Example Rule Criteria: from auth where @user='gcostanza' and win_event_id='4624'

Logical Types

How do I audit rule changes?

Actions in the rules manager are viewable under Tenant Settings → Audit Logs. Audit logs will have the category of Rules.

Additionally, a changelog of edits to the rule is available from the rule itself. See View Custom Rule Details and History.

Who can create rules?

At this time, any role can create alert rules. This will change with forthcoming Role-Based Access Control.

Are all schema fields available for custom alerts?

Most event fields are available, except for the following fields which are added to the event after it is processed by the alert engine.

For schemas auth, netflow, and dns_query, the following objects and fields are not available for custom alert rules to match:

• dest_ipgeo_summary
• src_ipgeo_summary
• src_ipblacklist_hits
• dest_ipblacklist_hits

For all schemas, the following field is not available for custom alert rules to match: - hostname

For schema dns_query, the following object is not available for custom alert rules to match:

• whois

Are custom rules limited in how many alerts they can create?

Yes; custom rules that exceed 5,000 alerts an hour or 100,000 in 24 hours will be disabled by the circuit breaker. Please, either update the rule to decrease the number of alerts, or pivot the rule to a Custom Report.

Note

The circuit breaker will email the rule author informing them if the rule has been disabled due to exceeding the limits.

What are the regex limitations of Custom Rules?

The following regex constructs cannot be supported by Custom Rules:

• Backreferences and capturing sub-expressions
• Arbitrary zero-width assertions
• Subroutine references and recursive patterns
• Conditional patterns
• Backtracking control verbs
• The \C “single-byte” directive (which breaks UTF-8 sequences)
• The \R newline match
• The \K start of match reset directive
• Callouts and embedded code
• Atomic grouping and possessive quantifiers