Create and manage detection rules and exclusions

If you want to clone and modify an existing detection rule, or create your own custom rule, review the following topics and the sample detection rule to understand the format and options for CAE rules:
  1. In the management console, on the menu, click Focus > Configurations, then click the Rules tab.
    You can sort and filter the available detection rules and view information for each rule.
  2. Do any of the following:

    Task

    Steps

    Export a rule to a .json file.

    You can export detection rules from any of the following rule categories: Custom, Endpoint Defense Experimental, Endpoint Defense Exclusion, Endpoint Defense macOS Official, Endpoint Defense Windows Official.

    Click Export icon for a rule.

    Import a custom detection rule from a .json file.
    1. Click Import Rule.
    2. Browse to and select or drag and drop the .json file. Click Import.
    3. Change the rule configuration and syntax as required.
    4. Click Validate.
    5. Click Publish.

    To edit a custom rule after it has been published, click for the rule.

    Clone and modify a detection rule.

    You can clone detection rules from any of the following rule categories: Custom, Endpoint Defense Experimental, Endpoint Defense Exclusion, Endpoint Defense macOS Official, Endpoint Defense Windows Official.

    1. Click Clone icon for a rule.
    2. Change the rule configuration and syntax as required.
    3. Click Validate.
    4. Click Publish.

    Delete a custom rule.

    You can delete rules from the Custom category only.

    1. Click Delete rule icon for a rule.
    2. Click Confirm Delete.