Sample detection rule
See the following topics to understand the format and options for CAE rules:
JSON
{
"States": [
{
"Name": "TestFile",
"Scope": "Global",
"Function": "(a)",
"FieldOperators": {
"a": {
"Type": "Contains",
"Operands": [
{
"Source": "TargetFile",
"Data": "Path"
},
{
"Source": "Literal",
"Data": "my_test_file"
}
],
"OperandType": "String"
}
},
"ActivationTimeLimit": "-0:00:00.001",
"Actions": [
{
"Type": "AOI",
"ItemName": "InstigatingProcess",
"Position": "PostActivation"
},
{
"Type": "AOI",
"ItemName": "TargetProcess",
"Position": "PostActivation"
},
{
"Type": "AOI",
"ItemName": "TargetFile",
"Position": "PostActivation"
}
],
"HarvestContributingEvent": true,
"Filters": [
{
"Type": "Event",
"Data": {
"Category": "File",
"SubCategory": "",
"Type": "Create"
}
}
]
}
],
"Paths": [
{
"StateNames": [
"NewSuspiciousFile",
"CertUtilDecode"
]
}
],
"Tags": [
"CylanceOPTICS"
]
}To review another example of a custom detection rule, see KB 42221117838235.