Triage rules
The Triage Rules view is the landing page for the Detections tab. Use this view to review and respond to detections triggered by the rule.
To view the Triage Rules page:
- Go to Detections > Triage Rules. The Detections > Rules page opens.
- (Optional) Filter the rules on the page.
Search Enter the technique ID, technique name or technique description.
Rules are filtered based on the prefix matching the selected technique ID. IfTechnique T1234 is entered, the rules returned include its sub-techniques T1234.001, T1234.002, T1234.003, etc.
Severity Select High (H), Medium (M), or Low (L).
Additional Filters Click the filter icon to view additional filters.
Filter
Description
Category Filter the rules by category. See, Rule Categories. Created By Filter by the account that created the rule. Technique Filter by the technique used for the detection. Confidence Select High (H), Medium (M), or Low (L).
Detection Status Select All, Active or Idle.
Active Rule has at least one Active (not Muted) detection. Idle Rule has zero Active (not Muted) detections. Muted Select Unmuted or Muted. See, Muting rules. Disabled Select Enabled or Disabled. See, Disabling rules. Order By Order the rules by Impacted Devices, Muted Devices, Severity, Confidence, Category, or Last Seen. - Click a rule to open the Details page. The following information is displayed:
Category
The attack category.
First Seen
The UTC date and time the first event associated with the detection occurred.
Last Seen
The UTC date and time of the last known event tied to the rule was observed.
Rule Updated
The UTC date and time the rule was modified.
Resolution Method
Automatic: The detection will be resolved if events containing the same host and sensor ID are not observed for the specified time period.
Manual: The detection will remain active until an analyst resolves the detection.
MITRE ATT&CK
The MITRE ATT&CK ID.
Primary Technique
The primary attack name and ID.
Specificity
Behaviors
The behavior coverage.
Description A description of the detection. Next Steps Recommendations to resolve the detection. Show Matching Events Click to view the Entity Lookup. Author The rule author. Impacted Device Field The fields used to generate the detection. The internal IP address in the src.ip
ordst.ip
fields is the default.Indicator Fields The indicators the rule uses to generate the detection.
This information is useful for identifying related activity and tracking indicators over time.
Rules can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.
Impacted devices The active detections for the rule. All Active dectections are displayed by default. You can create a filter to view Muted or Resolved detections.
You can use this tab to resolve detections or to search for a device by IP.
Signature This tab displays the IQL signature defined for the rule.You can use a query string to create a custom rule. See, Adding custom filters to a rule signature.
Events This tab displays all of the events that have matched the rule's signature.
Left-click on an entity to open the Entity Panel.
Right-click a field to open its menu (for example, Search Events, Targeted Search and Copy to Clipboard).
Hover a column header to lock, sort or arrange the columns.
These events are duplicates of the original matching event. When an event matches a rule's signature, a copy is created and added to the rule's list of Latest Events so the event remains associated with the rule.
This list can display up to the last 1000 matching events. Events could remain in the list in perpetuity if the rule rarely fires.
Indicators This tab displays the field value extracted from a detection's event(s) as defined by the detection rule.
This information is useful for identifying related activity and tracking indicators over time. Rules can define up to five fields to extract indicators from and each detection can store up to five unique indicators for each indicator field.
Detections Graph The Detections Graph plots a rule's detection volume over time.
If a posture-related rule fires constantly, the graph will help show whether the issue is improving or worsening over time.