Importing custom rules
The Behavioral Detection Engine supports importing custom detection rules that are authored by your organization in .json format. In the Endpoint Defense console, you can import custom detection rules into custom rule groups from the Aurora Focus > Behavioral Detection Engine > Custom Rules tab.
Note: The non-custom legacy detection rules found in the Focus > Configurations > Rules tab should not be imported as custom rules for the Behavioral Detection Engine. The rules included with the Behavioral Detection Engine are intended to replace the legacy rules and provide broader coverage and higher efficacy for detections.
Before you import a custom detection rule, create a custom rule group. The custom rule group that you created appears as a card on the Custom Rules screen.
Use these steps to export the legacy rule sets from the Endpoint Defense console, create a custom rule group, and then import the legacy rule sets to the custom rule group:
- Navigate to Aurora Focus > Configurations > Rules.
- Beside the custom rule that you want to export, click Export and save the .json file with the rule conditions. Custom rules are listed with "Custom" in the category column.
- Navigate to Aurora Focus > Behavioral Detection Engine > Custom Rules.
- In the Custom Rule tab, click Add and then add a new custom rule group.
- Click the custom rule group, and then on the right side, click Add > Import custom rules, and specify the .json file.
- Review the imported rule conditions, verify the target custom rule group, and then click Validate. After validation, click Add to complete the import.
- On the Behavioral Detection Engine screen, open the BDE policy > Detection And Response tab where you can enable alerts, observations, and automated responses for your custom rules. The custom rule group will appear as a new card at the bottom of the Detection And Response tab when editing a BDE policy, under the Custom rules section.