Triage rules
The Triage Rules view is the landing page for the Detections tab. Use this view to review and respond to detections triggered by the rule.
To view the Triage Rules page:
- Go to Detections > Triage Rules. The Triage Rules page opens.
- (Optional) Filter the rules on the page.
Search Enter the technique ID, technique name or technique description.
Rules are filtered based on the prefix matching the selected technique ID. If Technique T1234 is entered, the rules returned include its sub-techniques T1234.001, T1234.002, T1234.003, etc.
Severity Select High (H), Medium (M), or Low (L).
Additional Filters Click the filter icon to view additional filters.
Filter
Description
Category Filter the rules by category. See, Rule Categories. Created By Filter by the account that created the rule. Technique Filter by the technique used for the detection. Confidence Select High (H), Medium (M), or Low (L).
Detection Status Select All, Active or Idle.
Active Rule has at least one Active (not Muted) detection. Idle Rule has zero Active (not Muted) detections. Muted Select Unmuted or Muted. See, Muting rules. Disabled Select Enabled or Disabled. See, Disabling rules. Order By Order the rules by Impacted Devices, Muted Devices, Severity, Confidence, Category, or Last Seen. - Click a rule to open the Details page. The following information is displayed:
Category
The attack category.
First Seen
The UTC date and time the first event associated with the detection occurred.
Last Seen
The UTC date and time of the last known event tied to the rule was observed.
Rule Updated
The UTC date and time the rule was modified.
Resolution Method
Automatic: The detection will be resolved if events containing the same host and sensor ID are not observed for the specified time period.
Manual: The detection will remain active until an analyst resolves the detection.
MITRE ATT&CK
The MITRE ATT&CK ID.
Primary Technique
The primary attack name and ID.
Specificity
Behaviors
The behavior coverage.
Description A description of the detection. You can use this description to search for detections. See, Search for detections with the rule description
Next Steps Recommendations to resolve the detection. Show Matching Events Click to view the Entity Lookup. Author The rule author. Impacted Device Field The fields used to generate the detection. The internal IP address in the src.ipordst.ipfields is the default.Indicator Fields The indicators the rule uses to generate the detection.
This information is useful for identifying related activity and tracking indicators over time.
Rules can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.
Impacted devices The active detections for the rule. All Active defections are displayed by default. You can create a filter to view Muted or Resolved detections. See, Impacted Devices.
You can use this tab to resolve detections or to search for a device by IP.
Signature This tab displays the IQL signature defined for the rule. You can use a query string to create a custom rule. See, Adding custom filters to a rule signature.
Events This tab displays all of the events that have matched the rule's signature.
Left-click on an entity to open the Entity Panel.
Right-click a field to open its menu (for example, Search Events, Targeted Search and Copy to Clipboard).
Hover a column header to lock, sort or arrange the columns.
These events are duplicates of the original matching event. When an event matches a rule's signature, a copy is created and added to the rule's list of Latest Events so the event remains associated with the rule.
This list can display up to the last 1000 matching events. Events could remain in the list in perpetuity if the rule rarely fires.
Indicators This tab displays the field value extracted from a detection's event(s) as defined by the detection rule.
This information is useful for identifying related activity and tracking indicators over time. Rules can define up to five fields to extract indicators from and each detection can store up to five unique indicators for each indicator field.
Detections Graph The Detections Graph plots a rule's detection volume over time.
If a posture-related rule fires constantly, the graph will help show whether the issue is improving or worsening over time.
Search for detections with the rule description
You can use text of the rule description to search for detections. Copy and paste the description text into and Global Search field and click Enter. Search results will be highlighted in the Rule Description column of the in the Detections section of results.
Impacted Devices
|
Column |
Description |
|---|---|
| Device IP |
The device IP address. |
| DHCP Hostname |
The DHCP lease hostname. |
| Username |
The device username. |
| Hostname |
The device hostname. |
| MAC Address |
The device MAC address |
| Lifetime Events |
The number of events over the device lifetime. Click the link to drill down to the earliest events. |
| Indicators |
The number of indicators of compromise. Click the link to view the indicators associated with the device IP. |
| First Seen |
The date the event was first seen. |
| Last Seen |
The date the event was last seen. |
| Created |
The date the event was created. |
| Updated |
The date the event was updated. |
| Sensor ID |
The sensor ID. Hover over the ID to view the sensor information and annotations. Tags associated with the sensor are displayed within the column. Click the ID to open the Sensor Details page. |
| Account |
The account the device belongs to. |
| Status |
The detection status (Active, Muted or Resolved). See Detections. |
| Muted by |
The user who muted the rule. |
| Date Muted |
The date the rule was muted. |
| Resolved by |
The user who resolved the detection. |
| Resolution |
The resolution description. |
|
Date Resolved |
The date the detection was resolved. |