Create a Custom Detection Rule - Tutorial

This tutorial contains step-by-step examples of how to create a custom detection rule.

Example 1: Microsoft Office process spawns a shell process

Scenario: You want the Cybereason platform to trigger a MalOp when a Microsoft Office process spawns a shell process. This behavior may indicate a stage of a phishing attack. To design a rule that detects this behavior:

  1. In the Custom detection rules section of the Security profile screen, click Create new rule. The Create custom detection rules screen appears.

  2. In the Configure rule type section, specify the following:

    1. Rule name: Office spawned shell process

    2. Detection type: Custom rule

    3. Detected activity: Infection

    4. Root cause element: Self

    5. Description: Microsoft Office process with Shell child

    Custom Rules Office Configuration

  3. In the Build a rule canvas, select the Process Element.

  4. Hover over the Process Element to reveal the Add filters link.

  5. Click the link and add the following filter:

Product type is Microsoft Office

Custom Rules Office Example

  1. Add the Children Element to the rule. To do this, click the plus sign next to the Process Element, and then select Children.

  2. Add the following filter to the Children Element:

Product type is Shell

The Build a rule canvas should look like the following:

Custom Rules Office Example

  1. Click Save rule to save and enable the rule.

The next time the Cybereason platform encounters a shell process with a Microsoft Office parent process, the platform will trigger a Malop.

Example 2: Trigger a MalOp for PowerShell attacks that are not running through PowerShell

Scenario: You want to trigger a MalOp when the platform encounters PowerShell processes that are not running through PowerShell. This behavior may indicate that an attacker is trying to evade security tools. To detects this behavior, you’ll want to create a rule that detects when the term ‘PowerShell’ appears in the command line, but the process that runs is not actually a PowerShell process. We can determine if the process is a PowerShell process by looking at the process’s Image file, which is the file from the disk that executes the process. To build the rule:

  1. On the Security profile screen, click Create new rule in the Custom detection rules section.

  2. In the Configure rule type section, specify the following:

    1. Rule name: Suspicious PS Process

    2. Detection type: Custom rule

    3. Detected activity: Infection

    4. Root cause element: Self

    5. Description: PowerShell in the command line but image file is not PowerShell.

    Custom Rules PS Example

  3. In the Build a rule canvas, select the Process Element.

  4. Hover over the Process Element to reveal the Add filters link.

  5. Click the link and add the following filter:

    Clear command line contains PowerShell

    Custom Rules PS Example

  6. Add the Image file Element to the rule. To do this, click the plus sign next to the Process Element, and then select Image file.

  7. Add the following filter to the Image file Element:

    Name is not PowerShell

    The Build a rule canvas should look like the following:

    Custom Rules PS Example

  8. Click Save rule to save and enable the rule.

The next time the Cybereason platform encounters PowerShell in the command line, but not in the image file, the platform will trigger a Malop.