Rule-Based Alert Details

Rule-based detection detects anomalies by observing events in the system and applying a set of rules that lead to a decision.

Certain Stellar Cyber alert types are based on specific rules. This topic describes information relating to rule-based alert types as well as some differences between rule-based and built-in alert types.

Rule-Based Alerts Kill Chain Mapping

Rule-based alerts have general kill chain mapping information such as Stage, Tactic, and Technique, as follows:

Based on what the rule detects, each rule can have a different Stage, Tactic, and Technique, as follows:

Getting Rule-Based Alerts Details

In the Actions column of the table, click i or More Info to display details on an individual rule-based alert.

To get the Knowledge Base description for an individual rule-based alert, in the Key Fields tab, click the Stellar Rule ID link, for example, windows_security_154.

For links to the Knowledge Base description for all rule-based alert types, see Rule-Based Alert Types.

Rule-Based Alerts in Queries

By default, all rule matching in queries is case-sensitive. The exception to this is Suspicious Process Creation Commandline (currently Windows only). For example:

  • Suspicious PowerShell Script: Use case-sensitive matching.

    Use the exact matching query string. For example, if get is expected, Stellar Cyber will not trigger an alert for Get or GET.

  • Suspicious Process Creation Commandline: Use case-insensitive matching.

Windows Rule-Based Alerts

Windows rule-based alerts require the updated Windows Detection Profile (Low Volume) in the sensor profile settings.

Metadata for Rule-Based Alerts

For alert types from rule-based detection, the Rules tab displays the rule's metadata.

The Rules tab displays metadata about the rule itself, such as the name of the rule, description, status, rule ID, and other fields. It also displays the rule configuration in YAML format, which you can download.

Maturity Status

In the YAML format in the Rules tab, there is a maturity status, for example, maturity: test. Stellar Cyber passes any status from Sigma or other open source rule sources. It also develops rules internally.

The following are the maturity statuses for both Sigma and non-Sigma rules:

  • Production—for rules that are reliable in a production environment

  • Stable—for rules that have had one year of use

  • Test—for rules that have had months of use

  • Experimental—for new rules

The status of a rule may be updated in the future based on observations made.

Number of Rule-Based Alerts

The number of rule-based alerts of each type are as follows:

Rule-Based Alert Types # of Rules
PowerShell Script 133
Process Creation Commandline 230
Process Creation Parent/Child 67
AWS 95

Windows, including:

  • Identity and Threat Detection Rules (ITDR) (4)

  • Windows Security (119)

  • Process Creation Image (26)

149
Total 674

For links to the Knowledge Base description for all rule-based alert types, see Rule-Based Alert Types.