Formatting/Conventions

Naming Conventions

  • When naming a rule used for a specific sender, begin the rule with that sender's name

    • ex. Office365 rules should begin with O365

  • Use underscores to separate words (no spaces)

    • ex. O365_Successful_Logins

Formatting rules (capitals, camelCase, etc)

  • Rule attribute names should be written using camelCase

    • ex. An attribute called "login type" should be written as "LoginType"

  • Attributes can be referenced in behavior rule descriptions

    • ex. An attribute called "Country" can be referenced using {{ .Country }}

  • Entity Table translation can be used in behavior rule descriptions

    • ex. If you would like to use the description translation for the entity table below, use

    {{ entityLookup "AD_EventID" .EventID "Description }}

Writing a description

When writing a description for a rule, be sure that it it is thorough. The proper elements of a good description should include the reason the rule triggers and what an analyst needs to look for in order to validate the alert.

Rule Prefixes

Sender

Prefix

Active Directory

AD

Amazon AWS

AWS

CarbonBlack

CB

Cisco AMP

AMP

Crowdstrike Falcon

Falcon

GSuites

GSuites

Network

Flow

Office365

O365

SentinelOne

SentinelOne