Create a Custom Detection Rule - Tutorial
This tutorial contains step-by-step examples of how to create a custom detection rule.
In this topic:
Example 1: Microsoft Office process spawns a shell process
Scenario: You want the Cybereason platform to trigger a MalOp when a Microsoft Office process spawns a shell process. This behavior may indicate a stage of a phishing attack. To design a rule that detects this behavior:
In the Custom detection rules section of the Security profile screen, click Create new rule. The Create custom detection rules screen appears.
In the Configure rule type section, specify the following:
In the Build a rule canvas, select the Process Element.
Hover over the Process Element to reveal the Add filters link.
Click the link and add the following filter:
Add the Children Element to the rule. To do this, click the plus sign next to the Process Element, and then select Children.
Add the following filter to the Children Element:
Click Save rule to save and enable the rule.
The next time the Cybereason platform encounters a shell process with a Microsoft Office parent process, the platform will trigger a Malop.
Example 2: Trigger a MalOp for PowerShell attacks that are not running through PowerShell
Scenario: You want to trigger a MalOp when the platform encounters PowerShell processes that are not running through PowerShell. This behavior may indicate that an attacker is trying to evade security tools. To detects this behavior, you’ll want to create a rule that detects when the term ‘PowerShell’ appears in the command line, but the process that runs is not actually a PowerShell process. We can determine if the process is a PowerShell process by looking at the process’s Image file, which is the file from the disk that executes the process. To build the rule:
On the Security profile screen, click Create new rule in the Custom detection rules section.
In the Configure rule type section, specify the following:
Rule name: Suspicious PS Process
Detection type: Custom rule
Detected activity: Infection
Root cause element: Self
Description: PowerShell in the command line but image file is not PowerShell.
In the Build a rule canvas, select the Process Element.
Hover over the Process Element to reveal the Add filters link.
Click the link and add the following filter:
Clear command line contains PowerShell
Add the Image file Element to the rule. To do this, click the plus sign next to the Process Element, and then select Image file.
Add the following filter to the Image file Element:
Name is not PowerShell
The Build a rule canvas should look like the following:
Click Save rule to save and enable the rule.
The next time the Cybereason platform encounters PowerShell in the command line, but not in the image file, the platform will trigger a Malop.