🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Custom Alert Rules

alerts rules


Custom alert rules may be used to create alerts from normalized events in Secureworks® Taegis™ XDR.

Tip

The Secureworks Professional Services team is here to help you realize the full potential from your Taegis XDR investment if a higher level of support is desired. Our highly skilled consultants can help you deploy faster, optimize quicker, and accelerate your time to value. For more information, see Professional Services Overview.

Custom Alert Rule Manager

  1. From the XDR left-hand side navigation, select Tenant Settings → Rules. The Rules table displays.
  2. Select the Custom Rules tab from the Rules table. The table displays all of the current custom rules.

Custom Rules Manager

Custom Rules

Create a Custom Rule

Create a Custom Rule

Create a Custom Rule

  1. From the right corner above the Rules table, select the Create Rule button. The Create Custom Rule Panel displays.

Tip

You can use Advanced Search to help create the rule syntax that goes into the Rule Criteria field.

Note

The following characters have special meaning within regular expressions: . ^ $ * + - ? ( ) [ ] { } \ | /. For IP addresses, domain names, and other instances, take care to escape the characters with a backslash: 1\.1\.1\.1.

To escape long sequences that contain multiple characters, enclose the whole string between \Q and \E so that the string is not evaluated for regex characters. For example, escaping this full string:

\Q${jndi:ldap://log4shell-smb-21yg3cbuy21gbcy21gc321uc${lower:ten}.w.nessus.org/nessus}\E

is equivalent to:

\$\{jndi:ldap:\/\/log4shell\-smb\-21yg3cbuy21gbcy21gc321uc\$\{lower:ten\}\.w\.nessus\.org\/nessus\}

  1. Add a Name and Description to the rule. These are used for the generated alert’s name and description.
  2. Select the desired severity for created alerts.
  3. Select Create Rule.

How to View Custom Alerts

Alerts generated by custom rules are displayed in the XDR Alert Triage Dashboard Alerts by Detector widget under the detector name My Alerts.

Note

This detector will be renamed to Custom Alerts in the future.

Custom Alerts

Custom Alerts

Tip

Not seeing matching alerts? Make sure you have the correct severity level selected at the top of the Alerts Triage Dashboard.

Remove Custom Alerts from Alert Triage Dashboard

You can remove custom alerts from the Alert Triage Dashboard view by selecting Include Options above the Alert Triage Dashboard and toggling the Custom Alerts option.

Toggle Custom Alerts

Toggle Custom Alerts

View Custom Rule Details and History

Select a rule name from the Custom Rules table to view its details and history.

View the Details of a Custom Rule

View the Details of a Custom Rule

The Detail tab of the custom rule contains overview information for the rule with the criteria the rule matches on. If the rule has matched on and created alerts in the last seven days, the following display:

If there has been no activity in the last seven days, this section does not display.

View the Changelog of a Rule

View the Changelog of a Rule

The History tab of the custom rule contains a changelog of edits to the rule. Choose an audit log from the list on the left to view the diff in the right pane.

Archive and Restore a Custom Rule

Archive and Restore Custom Rules

Archive and Restore Custom Rules

When viewing a custom rule, you can archive the rule by selecting Archive and confirming the action. This disables the alert, marks it as archived, and removes it from the default view of the Custom Rules table.

To view archived rules, select the Showing Archived Rules toggle above the Custom Rules table.

When viewing an archived custom rule, you can restore the rule by selecting Restore and confirming the action. This restores the rule in a disabled state and returns it to the default view of the Custom Rules table. Select the toggle to enable the rule.

FAQ

How are custom rules supported in ManagedXDR?

You can create custom rules, using the Custom Rules feature within XDR, which alert you when specific criteria that you set are then detected. This feature gives your security team the flexibility to create rules specific to your environment and allow further customization of your internal capabilities. As these can vary greatly from customer to customer, our analysts are unable to monitor your custom rules. Therefore, if you implement custom rules, then you must have internal resources and processes to manage the corresponding alerts.

Can I use logical data types, such as domain, IP address, etc., in alert rules?

Yes, use logical data types to help match against data types represented across multiple fields in the schema. The only caveat is that rules can only match against a single schema type, but the logical data type will expand to the fields available within the individual schema.

Example Rule Criteria: from auth where @user='gcostanza' and win_event_id='4624'

Logical Types

Logical Types

How do I audit rule changes?

Actions in the rules manager are viewable under Tenant Settings → Audit Logs. Audit logs will have the category of Rules.

Additionally, a changelog of edits to the rule is available from the rule itself. See View Custom Rule Details and History.

Who can create rules?

At this time, any role can create alert rules. This will change with forthcoming Role-Based Access Control.

Are all schema fields available for custom alerts?

Most fields are available, except for the following fields which are added to the event after it is processed by the alert engine.

For schemas auth, netflow, and dns_query, the following objects and fields are not available for custom alert rules to match:

For schema dns_query, the following object is not available for custom alert rules to match:

 

On this page: